Re: Newbie Question here...
On 4/24/2012 6:19 PM, bfinkel...@aaamissouri.com wrote: I have installed Win32 Binary including OpenSSL 0.9.8t (MSI Installer): httpd-2.2.22-win32-x86-openssl-0.9.8t.msi http://newverhost.com/pub//httpd/binaries/win32/httpd-2.2.22-win32-x86-openssl-0.9.8t.msi on my windows server. I want to upgrade JUST openSSL that's bundled with this install to the latest PCI compliant version. I want to go to OpenSSL 0.9.8u or possibly w.How can I do just that ? Is there a step by step guide out there? 1. Find out how the people who made that bundle compiled OpenSSL, in particular if they used the standard compile or made some changes. 2. If they made their own changes to OpenSSL, you will need to find someone who knows how to make the same changes to the latest OpenSSL (version 0.9.8w, released earlier today). 3. If they used the standard compile, go to http://openssl.org/related/binaries.html, follow the link to the prebuilt binaries by Shining Light Productions and wait for them to make a 0.9.8w package (a few minutes ago, they only had 0.9.8v, which is still better than 0.9.8t). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Newbie confusion
Please ignore my previous email for the moment. It seems we're not sure whether out binaries are official, pre-built ones or if they were built elsewhere. Presumably there are some official Windows DLLs and libs somewhere are there? John__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Newbie confusion
On Thu, Dec 8, 2011 at 8:45 AM, John Emmas john...@tiscali.co.uk wrote: Please ignore my previous email for the moment. It seems we're not sure whether out binaries are official, pre-built ones or if they were built elsewhere. Presumably there are some official Windows DLLs and libs somewhere are there? When working with OpenSSL on Windows, I prefer Shining Light's gear. Thomas Hruska does a great job of building and packaging OpenSSL. http://www.slproweb.com/products/Win32OpenSSL.html. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Newbie confusion
On 8 Dec 2011, at 13:55, Jeffrey Walton wrote: When working with OpenSSL on Windows, I prefer Shining Light's gear. Thomas Hruska does a great job of building and packaging OpenSSL. Good suggestion Jeff, thanks. I'll look into that. John __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Newbie Struggles with SMIME
On Tue, Feb 15, 2011, ManicPixel wrote: Hello, I've been searching the mail archives for days and pouring over the examples in the /demo projects and can't seem to figure this one out on my own. I'm trying to use OpenSSL to encrypt and decrypt S/MIME messages. I'd be happy with decrypt at this point! I am a rookie with encryption and SMIME so forgive the massive post but I wanted to try and explain my situation as best I could. I have an smime.p7m signed and encrypted file generated by Outlook and a encrypt.p12 with the user certificate, public private keys. What I've managed to cobble together based from many posts in these archives, the demos and documentation is the following. Before you write a program have you tried the cms utility to see if it can correctly decrypt/verify the message? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Newbie Struggles with SMIME
Did I mention I was a rookie? :-) I had not tried that. Excellent suggestion, thank you. I just did (after a crash course in cert key exports). I do get the following error, however I signed the message and my certs are decrypting it. Verify error:self signed certificate in certificate chain Adding the -noverify flag I see the correct content of the message output in the console. Progress!!! That exercise highlighted the problem (I think). The cms utility generated a decrypted SMIME text file of 9440 bytes. The same process using my program creates a file of 8192 bytes. The data does appear to be identical up to the point it's truncated. I suppose the first step is to include the cms utility's file into my program to verify I can extract the contents from properly structured SMIME data. The second step would be to then determine why the data is being truncated using CMS_decrypt(). Could that be a problem with how I've configured the BIO? Thank you so much for the help! On Tue, Feb 15, 2011 at 11:24 AM, Dr. Stephen Henson st...@openssl.orgwrote: On Tue, Feb 15, 2011, ManicPixel wrote: Hello, I've been searching the mail archives for days and pouring over the examples in the /demo projects and can't seem to figure this one out on my own. I'm trying to use OpenSSL to encrypt and decrypt S/MIME messages. I'd be happy with decrypt at this point! I am a rookie with encryption and SMIME so forgive the massive post but I wanted to try and explain my situation as best I could. I have an smime.p7m signed and encrypted file generated by Outlook and a encrypt.p12 with the user certificate, public private keys. What I've managed to cobble together based from many posts in these archives, the demos and documentation is the following. Before you write a program have you tried the cms utility to see if it can correctly decrypt/verify the message? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: (newbie) private key vs. keystore confusion
Actually, according to Wikipedia, the PKCS #12 format (*.p12) can be used as a keystore within Java, as explained here: http://en.wikipedia.org/wiki/PKCS PKCS #12: Defines a file format commonly used to store private keys with accompanying public key certificates, protected with a password-based symmetric key. PFX is a predecessor to PKCS#12. This container format can contain multiple embedded objects, e.g. multiple certificates. Usually protected/encrypted with a password. Can be used as a format for the Java key store. Usable by Tomcat, but NOT by Apache. So I guess it's both--a private key/certificate pair, but if one wanted, multiple certificates--and I guess multiple private keys--could be stored within the same file. Glen -Original Message- From: Mazza, Glen R. Sent: Mon 12/28/2009 6:19 PM To: openssl-users@openssl.org Subject: RE: (newbie) private key vs. keystore confusion OK, apparently then a keystore (as defined here[1]) is really just a Java language-specific construct, and the .p12 is a certificate/private key pair (not a keystore). Thanks all for your responses, Glen [1] http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Anand Patel Sent: Sunday, December 27, 2009 9:10 PM To: openssl-users@openssl.org Subject: Re: (newbie) private key vs. keystore confusion Not sure what you mean by keystore but above command combines certificate and key in PKCS12 format service.p12. -Anand On Thu, Dec 24, 2009 at 10:33 AM, Mazza, Glen R. glen.r.ma...@saic.com wrote: Hello, I'm confused somewhat about the workings of OpenSSL, in particular the following command: openssl pkcs12 -export -inkey servicekey.pem -in servicecert.pem -out service.p12 -name myservicekey -passin pass:sspass -passout pass:skpass Question: Does the above command create a private key named service.p12 or a keystore named service.p12 that has a private key within it? I'm not sure what service.p12 is -- is it a keystore or a private key? If it is a keystore containing a private key, just to confirm, there is no real way with OpenSSL to create a private key without its enclosing keystore, correct? I.e., it is usual and normal for OpenSSL to create its private keys within keystores. But if it is just a private key, does OpenSSL provide the ability to create a keystore that can be used to house this private key? (What would the command be for that)? Thanks, Glen
RE: (newbie) private key vs. keystore confusion
OK, apparently then a keystore (as defined here[1]) is really just a Java language-specific construct, and the .p12 is a certificate/private key pair (not a keystore). Thanks all for your responses, Glen [1] http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Anand Patel Sent: Sunday, December 27, 2009 9:10 PM To: openssl-users@openssl.org Subject: Re: (newbie) private key vs. keystore confusion Not sure what you mean by keystore but above command combines certificate and key in PKCS12 format service.p12. -Anand On Thu, Dec 24, 2009 at 10:33 AM, Mazza, Glen R. glen.r.ma...@saic.com wrote: Hello, I'm confused somewhat about the workings of OpenSSL, in particular the following command: openssl pkcs12 -export -inkey servicekey.pem -in servicecert.pem -out service.p12 -name myservicekey -passin pass:sspass -passout pass:skpass Question: Does the above command create a private key named service.p12 or a keystore named service.p12 that has a private key within it? I'm not sure what service.p12 is -- is it a keystore or a private key? If it is a keystore containing a private key, just to confirm, there is no real way with OpenSSL to create a private key without its enclosing keystore, correct? I.e., it is usual and normal for OpenSSL to create its private keys within keystores. But if it is just a private key, does OpenSSL provide the ability to create a keystore that can be used to house this private key? (What would the command be for that)? Thanks, Glen
Re: (newbie) private key vs. keystore confusion
PKCS #12 is the standard format for communicating an encrypted private key along with a certificate. It is typically used to move a private key and its associated public certificates from one system to another, or to back up (say) a webserver's private key and its certificate. -Kyle H On Thu, Dec 24, 2009 at 7:33 AM, Mazza, Glen R. glen.r.ma...@saic.com wrote: Hello, I'm confused somewhat about the workings of OpenSSL, in particular the following command: openssl pkcs12 -export -inkey servicekey.pem -in servicecert.pem -out service.p12 -name myservicekey -passin pass:sspass -passout pass:skpass Question: Does the above command create a private key named service.p12 or a keystore named service.p12 that has a private key within it? I’m not sure what service.p12 is -- is it a keystore or a private key? If it is a keystore containing a private key, just to confirm, there is no real way with OpenSSL to create a private key without its enclosing keystore, correct? I.e., it is usual and normal for OpenSSL to create its private keys within keystores. But if it is just a private key, does OpenSSL provide the ability to create a keystore that can be used to house this private key? (What would the command be for that)? Thanks, Glen __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: (newbie) private key vs. keystore confusion
On Sun December 27 2009, Anand Patel wrote: Not sure what you mean by keystore but above command combines certificate and key in PKCS12 format service.p12. -Anand On Thu, Dec 24, 2009 at 10:33 AM, Mazza, Glen R. glen.r.ma...@saic.comwrote: Hello, I'm confused somewhat about the workings of OpenSSL, in particular the following command: openssl pkcs12 -export -inkey servicekey.pem -in servicecert.pem -out service.p12 -name myservicekey -passin pass:sspass -passout pass:skpass Question: Does the above command create a private key named service.p12 or a keystore named service.p12 that has a private key within it? I’m not sure what service.p12 is -- is it a keystore or a private key? If it is a keystore containing a private key, just to confirm, there is no real way with OpenSSL to create a private key without its enclosing keystore, correct? I.e., it is usual and normal for OpenSSL to create its private keys within keystores. But if it is just a private key, does OpenSSL provide the ability to create a keystore that can be used to house this private key? (What would the command be for that)? Thanks, Glen Above what? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: (newbie) private key vs. keystore confusion
Not sure what you mean by keystore but above command combines certificate and key in PKCS12 format service.p12. -Anand On Thu, Dec 24, 2009 at 10:33 AM, Mazza, Glen R. glen.r.ma...@saic.comwrote: Hello, I'm confused somewhat about the workings of OpenSSL, in particular the following command: openssl pkcs12 -export -inkey servicekey.pem -in servicecert.pem -out service.p12 -name myservicekey -passin pass:sspass -passout pass:skpass Question: Does the above command create a private key named service.p12 or a keystore named service.p12 that has a private key within it? I’m not sure what service.p12 is -- is it a keystore or a private key? If it is a keystore containing a private key, just to confirm, there is no real way with OpenSSL to create a private key without its enclosing keystore, correct? I.e., it is usual and normal for OpenSSL to create its private keys within keystores. But if it is just a private key, does OpenSSL provide the ability to create a keystore that can be used to house this private key? (What would the command be for that)? Thanks, Glen
Re: Newbie question on EVP API
Alexey Luchko l...@ank-sia.com writes: I'm new to openssl. I've got two questions on EVP API: 1. What do EVP_EncryptInit_ex and EVP_CipherInit_ex differ with? When should I use encrypt/decrypt and when cipher? If you look at the source, EVP_EncryptInit_ex/EVP_DecryptInit_ex are just trivial wrappers around EVP_CipherInit_ex. So use whichever seems to make more sense to you. 2. Where can I read about cipher modes? There are several modes for each cipher on http://openssl.org/docs/crypto/EVP_EncryptInit.html#CIPHER%20LISTING They differ with suffix like _cbc, _ecb, _cfb, _ofb and etc. What are meanings of these suffixes and use-cases? They're standard chaining modes. wikipedia has a reasonable description of them. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Newbie questions: extracting public key's exponent and modules.
what about rsa_public_key-n and rsa_public_key-e You could do BN *n = BN_dup(rsa_public_key-n); BN *e = BN_dup(rsa_public_key-e); And do what you want with them (don't forget to free them) If you are wanting to display them char *n_txt = BN_bn2dec(n); char *e_txt = BN_bn2dec(e); or char *n_hextxt = BN_bn2hex(n); char *e_hextxt = BN_bn2hex(e); if you want the data in a non-openssl format for some other library you can get the bits int n_len = BN_num_bytes(n); int e_len = BN_num_bytes(e); unsigned char *raw_n,*raw_e if (! raw_n = malloc(n_len)) { fail ...} if (! raw_e = malloc(e_len)) { fail ...} if (BN_bn2bin(n,raw_n)!= n_len) { fail...} if (BN_bn2bin(e,raw_e)!= e_len) { fail...} -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bizhan Gholikhamseh (bgholikh) Sent: Thursday, October 22, 2009 6:20 AM To: openssl-users@openssl.org Subject: Newbie questions: extracting public key's exponent and modules. Hi All, Here is the part of the code that was previously developed. The code successfully extract a public key from some secure server, now I like to know how to extract the exponent and modules of the public key (rsa_public_key). EVP_PKEY *public_key = NULL; RSA *rsa_public_key = NULL; ... ... public_key = ENGINE_load_public_key(e1, file_nm_public, UI_OpenSSL(), NULL); if (public_key == NULL) { ... exit (-1); } rsa_public_key = EVP_PKEY_get1_RSA(public_key); Many thanks in advance, Bizhan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: newbie program crashing.
First you fill the rsa structure with the private key, PEM_read_bio_RSAPrivateKey(in,rsa,NULL,NULL); then you overwrite it with the public key. PEM_read_bio_RSA_PUBKEY(in, rsa, NULL, NULL); RSA_private_decrypt() which points to RSA_eay_private_decrypt() requires the private exponent rsa-d which is NULL now. Peter -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Neil Dugan Sent: Sunday, August 02, 2009 8:01 AM To: openssl-users@openssl.org Subject: newbie program crashing. Hi, I have been trying to figure out why this is crashing with a 'Segmentation fault', as far as I can see all the buffers etc. are getting setup and passed around correctly. If I comment out line 51 with the call to RSA_private_decrypt() I don't get the 'Segmentation fault'. Help Please. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: newbie program crashing.
PMHager wrote: First you fill the rsa structure with the private key, PEM_read_bio_RSAPrivateKey(in,rsa,NULL,NULL); then you overwrite it with the public key. PEM_read_bio_RSA_PUBKEY(in, rsa, NULL, NULL); Thanks for hint.. I thought you had to load both public and private keys. I stopped the loading of the public key. Now its working thanks. RSA_private_decrypt() which points to RSA_eay_private_decrypt() requires the private exponent rsa-d which is NULL now. Peter -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Neil Dugan Sent: Sunday, August 02, 2009 8:01 AM To: openssl-users@openssl.org Subject: newbie program crashing. Hi, I have been trying to figure out why this is crashing with a 'Segmentation fault', as far as I can see all the buffers etc. are getting setup and passed around correctly. If I comment out line 51 with the call to RSA_private_decrypt() I don't get the 'Segmentation fault'. Help Please. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Newbie: PKCS#10 request for an existing key pair
Hello Patrick I am using Luna PCI as my HSM. To answer your questions, First question: Do you have OpenSSL patched to use that particular HSM as an engine? Yes, I verified with the documentation from the vendor. Second question: Do you have a openssl.cnf set up that properly instantiates that engine? Again the documentation provides some information on this., so my answer is yes. Thanks From: Patrick Patterson ppatter...@carillonis.com To: openssl-users@openssl.org Sent: Thursday, June 4, 2009 8:41:24 PM Subject: Re: Newbie: PKCS#10 request for an existing key pair Hi Raj: On June 4, 2009 12:58:02 pm Raj wrote: Hello Experts, I request your expert opinion in generating a PKCS#10 CSR; I have generated my RSA 1024 private public key pair in the HSM. The HSM exposes the keys as handles. First question: Do you have OpenSSL patched to use that particular HSM as an engine? Second question: Do you have a openssl.cnf set up that properly instantiates that engine? I am seeing that OpenSSL is raising the CSR (-new) but it generates the RSA key pair. In my case, i already have the keys generated with various attributes; I want to raise a CSR of this key pair which are referred by their handles. If that handle is in a file (most patches that I've seen for HSMs allow you to do this), then just point the -key parameter as that file. For information on how to create this openssl compatible private key file that contains the handle (if you don't have it already), I would talk to your HSM vendor. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Newbie: PKCS#10 request for an existing key pair
Hi Raj: On June 4, 2009 12:58:02 pm Raj wrote: Hello Experts, I request your expert opinion in generating a PKCS#10 CSR; I have generated my RSA 1024 private public key pair in the HSM. The HSM exposes the keys as handles. First question: Do you have OpenSSL patched to use that particular HSM as an engine? Second question: Do you have a openssl.cnf set up that properly instantiates that engine? I am seeing that OpenSSL is raising the CSR (-new) but it generates the RSA key pair. In my case, i already have the keys generated with various attributes; I want to raise a CSR of this key pair which are referred by their handles. If that handle is in a file (most patches that I've seen for HSMs allow you to do this), then just point the -key parameter as that file. For information on how to create this openssl compatible private key file that contains the handle (if you don't have it already), I would talk to your HSM vendor. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Newbie Questions
On January 6, 2009 12:20:47 pm Richard Lichvar wrote: A newbieto OpenSSL here. (Mainly used to using 3rd party authorities.) Not very good at command line stuff either. 1. Cert request generated from IIS 6 but it is against the default website with .txt extension. Can a cert be generated using this request? Depends - is the file a PKCS#10 request? If so, then as long as the private key is the same as that which will be used by your site, then it could be used for requesting a Certificate from a CA. 2. Used the example in CA.pl doc to generate a new CA and request. When doing CA.pl -signreq getting an error re. unable to load CA private key followed by a 2072:error:0906D06C:PEM Sounds like you haven't properly set up your CA. 3. How can I generate a cert using the original certreq.txt generated by IIS? CA.pl -signreq is one way. But only after properly setting up the CA. 4. How do I insure any cert generated will be recognized by IIS? I'm not sure that I understand - once loaded and configured into IIS, the certificate is PRESENTED by IIS to the browser. Thus, it is the browser that will be recognising the Certificate, not IIS. Now, if you are just deploying this internally in a test environment, you can just tell your test browsers to not care about trusting the Certificate. If you are deploying this to the world, or even within your organisation, you will get a lot fewer problems if you don't try and generate the certificate yourself, and instead, go and buy your certificate from someone that has their CA certificate in the browser trust list. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Newbie : is it possible to use SSL on multiple targets with just IP addresses ?
Hi, If I understand what you want to do, the answer is yes, it can be done. You can create a generic certificate with a given CN to be used in the embedded web server. The next question is... who will use this web server? If it's a program, so your system is used as an update server (for instance, although in this case identification would be critical), you can deactivate the CN checking, so that even if your CN does not correspond to the host name used in the URL the program will not complain. If you want a user to connect via a browser, the problem is that he will get a warning every time he connects (I'm not sure if this can be avoided just by accepting the certificate in the browser, as this is a CN problem, and not that the certificate is self-signed), although maybe this is not a problem for you depends on your application and who will use it. Well, any way the answer to your question is yes, a generic certificate can be used to create an SSL connection if you don't care about authentication. Best regards, Ion Larrañaga Mark Jackson(e)k dio: We are designing a new embedded system which runs its own web server. When installed in the field, the majority of the units will *not* have a domain-name, just a local IP address, since they will be mostly be used on company intranets (and so could be *any* ip address I guess). Most units will not have static IP addresses, but will rely on zeroconf or dhcp for address allocation. I guess some companies may wish to expose units to the internet and probably will have some form of domain name setup for each one (e.g. unit1.foobar.com, unit2.foobar.com, etc) So my question is this ... Can SSL + Certs be used / generated to work on such a dynamic type of network setup ? TBH, all we are requiring is to obtain a secure connection to the web server, rather than certifying that the embedded units are who they say they are. Is there some other way of doing this (either via SSL or some other web technology) ? I apologise if this is too open a question, but I've not managed to find a suitable Google search phrase that comes anywhere near to answering my question(s). Thank in advance Mark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: newbie: problem + RSA
Hello, [EMAIL PROTECTED] wrote on 05/30/2008 12:34:15 PM: Hello, i have created the following code to test the use of RSA (signautre): #include stdio.h #include stdlib.h #include stdint.h #include fcntl.h #include unistd.h #include string.h #include openssl/engine.h #include openssl/err.h #include openssl/rsa.h #include openssl/rand.h #include openssl/sha.h main () { long erreur = 0; char *message=vatos locos para siempre; char *encrypt, *decrypt, *sign, hash[SHA_DIGEST_LENGTH],hash1[SHA_DIGEST_LENGTH]; int longmsg,i,random,ok; int siglong; RSA *rsa; random= RAND_load_file(/dev/urandom ,1024);//seeding the Pseudo random generator rsa = RSA_generate_key(128,13,NULL,NULL);//generating a key having a 128 bits modulus SHA1(message,strlen(message),hash);//computing a digest using SHA1 for(i=0; i20; ++i){ printf(%x,hash[i]);} printf(\n); sign=(unsigned char*)malloc(RSA_size(rsa)); ok= RSA_sign(NID_sha1,hash,strlen(hash),sign,siglong,rsa);//generating the signature using RSA erreur= ERR_get_error(); printf(signature = %d \n,ok); printf(signature length =%d \n,siglong); printf(erreur =%d \n,erreur); printf(PRNG random =%d \n,random); printf(strlen(hash) =%d \n,strlen(hash)); RSA_free(rsa); free(sign); } After i compiled it using: gcc rsa.c -o rsa -lssl And i received the following results: ff9c6bffdd1c5dff9157ffdbff93ffab3c23ffe5ffb344ff8b49632 signature = 0 signature length =-1209806408 erreur =67588208 PRNG random =0 strlen(hash) =20 here are my questions: 1- why RSA_sign returned a 0 (signautre = 0) which means the failure of the key generation? 2- why the signautre has a negative value unstead of having 20 bytes length? 3- why the function RAND_load_file returned zero unstead of returning the number of bytes obtained after seeding the PRNG? Try: - buffers for RSA_* functions mostly are unsigned char*, not char * - use -Wall at compile time and look at any warnings like passing argument 2 of ‘RSA_sign’ differ in signedness - do not use strlen() on signatures, signatures are binary data, not strings - you can not create RSA signature from 160 bit hash using 128 bit RSA key. - add SSL_load_error_strings() and SSL_library_init(). Best regards, -- Marek Marcola [EMAIL PROTECTED] :��IϮ��r�m (Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���
Re: newbie question: sample s_server usage
On 9/28/07, Deep Chand [EMAIL PROTECTED] wrote: Hi, I'm a newbie to openssl and openssl toolkit. i need to add support for tls to one java client including client authentication, and i've made the changes to the client and need to test it with server, so trying to use s_server. I have used keytool utility supplied with jdk1.4 to generate client/server public/private key certificates using rsa algo. how do i use these certificates in invoking and testing my client using s_server? openssl s_server some tcp options here -cert filename -key keyfile and it should work. Checkout man page for more information about available options :) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: newbie: set cert time validity
No wonder I couldn't find the MakeCertificate function, it's actually resides in an external library. I 'll try to do anything I could to make sure it works as needed.. However, thank you very much for your help David Schwartz.. if you were in java.sun.com forum I'd surely have given you at least 7 duke dollars. Thanks again It's a kludge, but you could modify the certificate and then fix the signature, if you have direct access to the key that signs them. The key appears to be passed to 'RenewCertificate' and 'GenCRL'. After you adjust the time, just add this (untested): X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007 X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*pinfo.validity); X509_gmtime_roundup(X509_get_notAfter(x)); X509_sign(x, key ,EVP_sha1()); I think the 'key' should be the same thing you pass as 'pkey' to RenewCertificate. (I'm assuming 'RenewCertificate' or the CRL code use the same private key as you use to sign certificates. Double-check that too!) I've never tried signing a certificate that has already been signed. I hope it will digest and sign the correct part of the certificate and replace the old signature with a new one. But I've never tried it and can't easily test it right now. DS
Re: newbie: set cert time validity
No wonder I couldn't find the MakeCertificate function, it's actually resides in an external library. I 'll try to do anything I could to make sure it works as needed.. However, thank you very much for your help David Schwartz.. if you were in java.sun.com forum I'd surely have given you at least 7 duke dollars. Thanks again On 7/17/07, David Schwartz [EMAIL PROTECTED] wrote: thanks a lot for your lenghty explanation, David Schwartz. I really appreciate it for you to help me explain all this. I noted you said that what I did might be sensible if three things are the case: 1) The locale you are using the certificate has no daylight savings time. 2) The certificate isn't going anywhere, it's only going to be used in one place. 3) The certificate expires in the near future, so a risk of a change in daylight savings time rules is low. For the no (1), i'm not really sure about this daylight savings time.. I reside in Malaysia (next to singapore and thailand) and I'm not sure whether my country has any daylight savings time or not. For no(2), currently the issued certificates is only used in our office. I don't know the daylight savings time rules in your area, but if you have daylight savings time, then some of your certificates will expire an hour off from when you intended. I'm pretty sure you do have a daylight savings time and certificates issued that expire during daylight savings time will not actually expire at midnight but will be one hour off. if ((x = MakeCertificate(req,sconf,nconf,NULL,ca,ca_pkey, pinfo.begin_validity, pinfo.validity,pinfo.serial,pinfo.algo,0)) == NULL) { ret = ERROR_MAKECERT; goto end3; } X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007 X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*pinfo.validity); //added on 16/7/2007 X509_gmtime_roundup(X509_get_notAfter(x)); //added on 16/7/2007 This is wrong, you cannot modify the certificate after it is signed. You have to modify the 'MakeCertificate' function. As you may see above, I added the X509_gmtime_adj and X509_gmtime_roundup after the call to makeCertificate. The generated certificate will have the desired expiry date, but the cert itself would be corrupted. It will have this message displayed in the cert - The integrity of this certificate cannot be guaranteed. THe certificate may be corrupted or may have been altered. I guess this happens because I added the line X509_gmtime_ after the cert has been created, right? But I don't know anyway else where I should put it. Inside the 'MakeCertificate' function. And for the MakeCertificate function which was called above, all I could find was this code: X509 *MakeCertificate(X509_REQ *preq,char **sconf,int nconf,EVP_PKEY *self_key, char* cacert_file,EVP_PKEY *ca_key,int pbegin,int pdays, long pserial,int palgo,int ca_type) which was located in Global.h file. It doesn't seem any where I can put the X509_gmtime_roundup line Where is the code to the 'MakeCertificate' function? That where you'll have to do it. DS
RE: newbie: set cert time validity
This function rounds an ASN1_UTCTIME up to the end of the day it belongs to. You need to call this function on an ASN1_UTCTIME before you set it as the 'not valid after' date: void X509_gmtime_roundup(ASN1_UTCTIME *s) { /* Rounds an ASN1_UTCTIME up to the end of the current day */ char buf[32]; strcpy(buf, (const char *) ASN1_STRING_data(s)); strcpy(buf+6, 235959Z); ASN1_UTCTIME_set_string(s, buf); } Here's where I think that goes in your code: int RenewCertificate(X509 *old_x509,X509 ** new_x509,EVP_PKEY* pkey, int validity) { X509 *x = NULL; x=old_x509; char buf[512]; X509_gmtime_adj(X509_get_notBefore(x),0); X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*validity); Here, the 'not valid after' time was just advanced. You need to round it, so add: X509_gmtime_roundup(X509_get_notAfter(x)); ... ... } and void GenCRL(X509 *x509, EVP_PKEY *pkey, TStringList *ListRev, TStringList *ListSer, int SumList) { ... X509_gmtime_adj(ci-lastUpdate,0); if (ci-nextUpdate == NULL) ci-nextUpdate=ASN1_UTCTIME_new(); X509_gmtime_adj(ci-nextUpdate,(crldays*24+crlhours)*60*60); If you want to round the CRL time, up, use this line next: X509_gmtime_roundup(ci-nextUpdate); ... } void GenCRL(X509 *x509, EVP_PKEY *pkey, TStringList *ListRev, TStringList *ListSer, int SumList) { if (ci-nextUpdate == NULL) ci-nextUpdate=ASN1_UTCTIME_new(); X509_gmtime_adj(ci-nextUpdate,(crldays*24+crlhours)*60*60); This also sets the 'nextUpdate' time. If you want to round that to the end of the day, add: X509_gmtime_roudup(ci-nextUpdate); } it seems here all the function that you mentioned are not called to generate the cert. I'm totally lost on what i should do now...? Be sure to test this code before relying on it! DS
Re: newbie: set cert time validity
Thanks a lot for your help, David Schwartz! I haven't got it correctly yet, but with your help I could see I'm moving somewhere here. I added the X509_gmtime_roundup(X509_get_notAfter(x)); at my renewCertificate function. When I renewed the cert valid to for example, to 31/7/2007, the cert valid to will be strangely changed to '1/8/2007 7:59:59. May I know which part should I alter here? Btw I have to add the function void X509_gmtime_roundup(ASN1_UTCTIME *s) { /* Rounds an ASN1_UTCTIME up to the end of the current day */ char buf[32]; strcpy(buf, (const char *) ASN1_STRING_data(s)); strcpy(buf+6, 235959Z); ASN1_UTCTIME_set_string(s, buf); } to the top of my code, if not, it will return an 'Call to undefined function 'X509_gmtime_roundup'' error. Thanks again. On 7/16/07, David Schwartz [EMAIL PROTECTED] wrote: This function rounds an ASN1_UTCTIME up to the end of the day it belongs to. You need to call this function on an ASN1_UTCTIME before you set it as the 'not valid after' date: void X509_gmtime_roundup(ASN1_UTCTIME *s) { /* Rounds an ASN1_UTCTIME up to the end of the current day */ char buf[32]; strcpy(buf, (const char *) ASN1_STRING_data(s)); strcpy(buf+6, 235959Z); ASN1_UTCTIME_set_string(s, buf); } Here's where I think that goes in your code: int RenewCertificate(X509 *old_x509,X509 ** new_x509,EVP_PKEY* pkey, int validity) { X509 *x = NULL; x=old_x509; char buf[512]; X509_gmtime_adj(X509_get_notBefore(x),0); X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*validity); Here, the 'not valid after' time was just advanced. You need to round it, so add: X509_gmtime_roundup(X509_get_notAfter(x)); ... ... } and void GenCRL(X509 *x509, EVP_PKEY *pkey, TStringList *ListRev, TStringList *ListSer, int SumList) { ... X509_gmtime_adj(ci-lastUpdate,0); if (ci-nextUpdate == NULL) ci-nextUpdate=ASN1_UTCTIME_new(); X509_gmtime_adj(ci-nextUpdate,(crldays*24+crlhours)*60*60); If you want to round the CRL time, up, use this line next: X509_gmtime_roundup(ci-nextUpdate); ... } void GenCRL(X509 *x509, EVP_PKEY *pkey, TStringList *ListRev, TStringList *ListSer, int SumList) { if (ci-nextUpdate == NULL) ci-nextUpdate=ASN1_UTCTIME_new(); X509_gmtime_adj(ci-nextUpdate,(crldays*24+crlhours)*60*60); This also sets the 'nextUpdate' time. If you want to round that to the end of the day, add: X509_gmtime_roudup(ci-nextUpdate); } it seems here all the function that you mentioned are not called to generate the cert. I'm totally lost on what i should do now...? Be sure to test this code before relying on it! DS
RE: newbie: set cert time validity
I added the X509_gmtime_roundup(X509_get_notAfter(x)); at my renewCertificate function. When I renewed the cert valid to for example, to 31/7/2007, the cert valid to will be strangely changed to '1/8/2007 7:59:59. May I know which part should I alter here? There is nothing to change, as it is doing exactly what you wanted. The certificate now expires at the end of the day. 1/8/2007 7:59:59 is probably the last second of the day. You are probably looking at the time translated into the time where you happen to be, rather than looking at the UTC/GMT time. Are you asking that the time be set to the last second of the day in the timezone your computer happens to be in? That's essentially impossible because times can be changed at the whim of governments. There is no practical way to know what will be the last second of 1/8/2020 in San Francisco. (Because things like daylight savings time can change.) DS
Re: newbie: set cert time validity
I see... does this mean I can't make it to expire at 23:59:59 for the particular day? This is the UTC/GMT time for which area...? hmm.. actly i'm still confused... anyway it's ok then if I can't make it that way. Is there any way I can convince my boss that (besides sending him a copy of this email conversation) it's practically impossible to do what he asked me to do (make the cert expire at 23:59:59 at a choosen date)? He bugged me to do this since last week, although I've told him many times that I can't do it. Thanks a lot. And again, really thanks a lot for your help, David Schwartz. On 7/16/07, David Schwartz [EMAIL PROTECTED] wrote: I added the X509_gmtime_roundup(X509_get_notAfter(x)); at my renewCertificate function. When I renewed the cert valid to for example, to 31/7/2007, the cert valid to will be strangely changed to '1/8/2007 7:59:59. May I know which part should I alter here? There is nothing to change, as it is doing exactly what you wanted. The certificate now expires at the end of the day. 1/8/2007 7:59:59 is probably the last second of the day. You are probably looking at the time translated into the time where you happen to be, rather than looking at the UTC/GMT time. Are you asking that the time be set to the last second of the day in the timezone your computer happens to be in? That's essentially impossible because times can be changed at the whim of governments. There is no practical way to know what will be the last second of 1/8/2020 in San Francisco. (Because things like daylight savings time can change.) DS
Re: newbie: set cert time validity
hold on! thanks a lot I managed to get it to 23:59:59. all i had to do was change the value strcpy(buf+6, 235959Z); to strcpy(buf+6, 155959Z); thanks again, David Schwartz! You're a great help!! On 7/16/07, David Schwartz [EMAIL PROTECTED] wrote: I added the X509_gmtime_roundup(X509_get_notAfter(x)); at my renewCertificate function. When I renewed the cert valid to for example, to 31/7/2007, the cert valid to will be strangely changed to '1/8/2007 7:59:59. May I know which part should I alter here? There is nothing to change, as it is doing exactly what you wanted. The certificate now expires at the end of the day. 1/8/2007 7:59:59 is probably the last second of the day. You are probably looking at the time translated into the time where you happen to be, rather than looking at the UTC/GMT time. Are you asking that the time be set to the last second of the day in the timezone your computer happens to be in? That's essentially impossible because times can be changed at the whim of governments. There is no practical way to know what will be the last second of 1/8/2020 in San Francisco. (Because things like daylight savings time can change.) DS
Re: newbie: set cert time validity
erm... but there's still one problem. where in IssueCertificate should I add the line X509_gmtime_roundup(X509_get_notAfter(x)); ? because currently the line is only added in renewCertificate... as I can't see where in IssueCertificate can I add those lines.. thanks again On 7/16/07, David Schwartz [EMAIL PROTECTED] wrote: I added the X509_gmtime_roundup(X509_get_notAfter(x)); at my renewCertificate function. When I renewed the cert valid to for example, to 31/7/2007, the cert valid to will be strangely changed to '1/8/2007 7:59:59. May I know which part should I alter here? There is nothing to change, as it is doing exactly what you wanted. The certificate now expires at the end of the day. 1/8/2007 7:59:59 is probably the last second of the day. You are probably looking at the time translated into the time where you happen to be, rather than looking at the UTC/GMT time. Are you asking that the time be set to the last second of the day in the timezone your computer happens to be in? That's essentially impossible because times can be changed at the whim of governments. There is no practical way to know what will be the last second of 1/8/2020 in San Francisco. (Because things like daylight savings time can change.) DS
RE: newbie: set cert time validity
hold on! thanks a lot I managed to get it to 23:59:59. all i had to do was change the value strcpy(buf+6, 235959Z); to strcpy(buf+6, 155959Z); I would not do that. There is no way you can know that 15:59:59 will correspond to 24:59:59 in the future when the certificate expires. You are essentially predicting what the time zone shift will be at some future date. I would strongly urge you to make it expire at midnight UTC/GMT time. I would go further as to say that whatever tool is presenting certificate expiration times to you as '1/8/2007 7:59:59' (which is the way you pasted it) should be dumped and replaced with something sane. This contains no time zone indicator or GMT offset. If you paste it to a mailing list, it is meaningless. If your requirement really is that a certificate expire at midnight for the time zone in which it was issued, assuming the zone offset will be the same at certificate issue time as it was at certificate issue time, then the requirement should be re-examined. For one thing, '155959Z' can't possibly be right for every possible case (unless your locality has no daylight savings time and you get lucky and it never does). You are assuming that 15:59:59 local time will correspond to 24:59:59 UTC time at the time and place the certificate is being used when it expires. This seems like a truly crazy assumption. It might be sensible if three things are the case: 1) The locale you are using the certificate has no daylight savings time. 2) The certificate isn't going anywhere, it's only going to be used in one place. 3) The certificate expires in the near future, so a risk of a change in daylight savings time rules is low. Otherwise, this is broken. erm... but there's still one problem. where in IssueCertificate should I add the line X509_gmtime_roundup(X509_get_notAfter(x)); ? because currently the line is only added in renewCertificate... as I can't see where in IssueCertificate can I add those lines.. thanks again You didn't paste the code to IssueCertificate. You should be able to find where it sets the expiration time and modify it just like the others. If not, why are you monkeying in security-critical code? Please don't take this the wrong way -- but you are modifying security-critical code based on a requirement that seems to make no sense. DS
Re: newbie: set cert time validity
thanks a lot for your lenghty explanation, David Schwartz. I really appreciate it for you to help me explain all this. I noted you said that what I did might be sensible if three things are the case: 1) The locale you are using the certificate has no daylight savings time. 2) The certificate isn't going anywhere, it's only going to be used in one place. 3) The certificate expires in the near future, so a risk of a change in daylight savings time rules is low. For the no (1), i'm not really sure about this daylight savings time.. I reside in Malaysia (next to singapore and thailand) and I'm not sure whether my country has any daylight savings time or not. For no(2), currently the issued certificates is only used in our office. Anyway to issue certificate, the codes is as below: if (!(returnIssueCertificate=IssueCertificate(cinfo,x509,skey,ca,Type,HexSerial,sendUserName,sendUserID))) { MessageDlg(Issue certificate is failed,mtError,TMsgDlgButtons()mbOK, 0); FreeCertDetail(cinfo); return; } and this is the called IssueCertificate function int IssueCertificate(CERT_DETAIL pinfo,char *x509,char *key,char *ca, int Type, AnsiString *HexSerial, AnsiString receiveUserName, AnsiString receiveUserID) { FILE *fp = NULL; Base64 encoder; AnsiString s, ca_cert, ca_key; int i, key_len, len, ret = 1, nconf = 0; X509 *x = NULL, *xca = NULL; X509_REQ *req = NULL; EVP_PKEY *pkey = NULL, *ca_pkey = NULL; unsigned char skey[1024*8]; char buf[128], *sconf[100], *mkey = NULL; char ckey[1024], cacert[1024 * 8], profpass[1024], cacert_file[400], kbuf[1024],cbuf[1024 * 8]; unsigned char *p, plain[EBUFSIZE+4], emkey[EBUFSIZE+4], t_emkey[EBUFSIZE+4]; // Load profile certificate and private key if ((ca_pkey = ReadKey(pinfo.ca_KeyFile.c_str())) == NULL) return ERROR_READ_CAKEY; nconf = PrintConfig(pinfo,sconf,TYPE_CLIENT); if ((mkey = GenerateMasterKey()) == NULL) { ret = ERROR_GENERATE_MKEY; goto end1; } if ((pkey = CVAULT_Key_read(key)) == NULL) { ret = ERROR_READ_KEY; delete mkey; goto end1; } if ((req = MakeRequest(sconf,nconf,pkey,NULL)) == NULL) { ret = ERROR_MAKEREQ; goto end2; } if ((x = MakeCertificate(req,sconf,nconf,NULL,ca,ca_pkey, pinfo.begin_validity, pinfo.validity,pinfo.serial,pinfo.algo,0)) == NULL) { ret = ERROR_MAKECERT; goto end3; } X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007 X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*pinfo.validity); //added on 16/7/2007 X509_gmtime_roundup(X509_get_notAfter(x)); //added on 16/7/2007 char buf1[1024]; GetSerialNumber(x-cert_info-serialNumber,buf1); *HexSerial = (AnsiString)buf1; CVAULT_X509_write(x,x509); MakePKCS12(pass.c_str(),name.c_str(),pkey,x,p12Path.c_str()); s = progpath + client.key; WriteKey(pkey,s.c_str()); //s = progpath + user.crt; s = progpath + receiveUserID + - + receiveUserName + .crt; if ((fp = fopen(s.c_str(),w)) == NULL) { ShowMessage(ERROR: Open cert.crt); return -3; //to indicate that program unable to open user.crt } fprintf(fp,%s,x509); fclose(fp); // Write CA certificate if ((xca = ReadCertificate(ca)) == NULL) { ret = ERROR_READ_CACERT; goto end3; } CVAULT_X509_write(xca,cacert); s = progpath + CA.crt; if ((fp = fopen(s.c_str(),w)) == NULL) { ShowMessage(ERROR: Open CA.crt); return -1; } fprintf(fp,%s,cacert); fclose(fp); X509_free(xca); ret = 1; //MainForm-tinfo = pinfo; end3: X509_REQ_free(req); end2: EVP_PKEY_free(pkey); end1: for (i=0; i80; i++) free(sconf[i]); //endfor return ret; } As you may see above, I added the X509_gmtime_adj and X509_gmtime_roundup after the call to makeCertificate. The generated certificate will have the desired expiry date, but the cert itself would be corrupted. It will have this message displayed in the cert - The integrity of this certificate cannot be guaranteed. THe certificate may be corrupted or may have been altered. I guess this happens because I added the line X509_gmtime_ after the cert has been created, right? But I don't know anyway else where I should put it. And for the MakeCertificate function which was called above, all I could find was this code: X509 *MakeCertificate(X509_REQ *preq,char **sconf,int nconf,EVP_PKEY *self_key, char* cacert_file,EVP_PKEY *ca_key,int pbegin,int pdays, long pserial,int palgo,int ca_type) which was located in Global.h file. It doesn't seem any where I can put the X509_gmtime_roundup line *Please don't take this the wrong way -- but you are modifying security-critical code based on a requirement that seems to make no sense. I've told the management of my company that I don't want to continue debugging this code, but they insist I have to do it because they
RE: newbie: set cert time validity
thanks a lot for your lenghty explanation, David Schwartz. I really appreciate it for you to help me explain all this. I noted you said that what I did might be sensible if three things are the case: 1) The locale you are using the certificate has no daylight savings time. 2) The certificate isn't going anywhere, it's only going to be used in one place. 3) The certificate expires in the near future, so a risk of a change in daylight savings time rules is low. For the no (1), i'm not really sure about this daylight savings time.. I reside in Malaysia (next to singapore and thailand) and I'm not sure whether my country has any daylight savings time or not. For no(2), currently the issued certificates is only used in our office. I don't know the daylight savings time rules in your area, but if you have daylight savings time, then some of your certificates will expire an hour off from when you intended. I'm pretty sure you do have a daylight savings time and certificates issued that expire during daylight savings time will not actually expire at midnight but will be one hour off. if ((x = MakeCertificate(req,sconf,nconf,NULL,ca,ca_pkey, pinfo.begin_validity, pinfo.validity,pinfo.serial,pinfo.algo,0)) == NULL) { ret = ERROR_MAKECERT; goto end3; } X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007 X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*pinfo.validity); //added on 16/7/2007 X509_gmtime_roundup(X509_get_notAfter(x)); //added on 16/7/2007 This is wrong, you cannot modify the certificate after it is signed. You have to modify the 'MakeCertificate' function. As you may see above, I added the X509_gmtime_adj and X509_gmtime_roundup after the call to makeCertificate. The generated certificate will have the desired expiry date, but the cert itself would be corrupted. It will have this message displayed in the cert - The integrity of this certificate cannot be guaranteed. THe certificate may be corrupted or may have been altered. I guess this happens because I added the line X509_gmtime_ after the cert has been created, right? But I don't know anyway else where I should put it. Inside the 'MakeCertificate' function. And for the MakeCertificate function which was called above, all I could find was this code: X509 *MakeCertificate(X509_REQ *preq,char **sconf,int nconf,EVP_PKEY *self_key, char* cacert_file,EVP_PKEY *ca_key,int pbegin,int pdays, long pserial,int palgo,int ca_type) which was located in Global.h file. It doesn't seem any where I can put the X509_gmtime_roundup line Where is the code to the 'MakeCertificate' function? That where you'll have to do it. DS
Re: newbie: set cert time validity
Thanks a lot for trying to help me. here's the snippet of the code: the function that calls IssueCertificate has this line in them: cinfo.begin_validity = day_start; cinfo.validity = day_end; both day_start and day_end are int variables. then they are passed to the IssueCertificate function as CERT_DETAIL pinfo. //this is the called function int IssueCertificate(CERT_DETAIL pinfo,char *x509,char *key,char *ca, int Type, AnsiString *HexSerial, AnsiString receiveUserName, AnsiString receiveUserID) { //this is some of the variable FILE *fp = NULL; Base64 encoder; AnsiString s, ca_cert, ca_key; int i, key_len, len, ret = 1, nconf = 0; X509 *x = NULL, *xca = NULL; X509_REQ *req = NULL; EVP_PKEY *pkey = NULL, *ca_pkey = NULL; unsigned char skey[1024*8]; char buf[128], *sconf[100], *mkey = NULL; char ckey[1024], cacert[1024 * 8], profpass[1024], cacert_file[400], kbuf[1024],cbuf[1024 * 8]; unsigned char *p, plain[EBUFSIZE+4], emkey[EBUFSIZE+4], t_emkey[EBUFSIZE+4]; ... ... ... //this is the part that calls the function to generate the cert i guess if ((x = MakeCertificate(req,sconf,nconf,NULL,ca,ca_pkey, pinfo.begin_validity, pinfo.validity,pinfo.serial,pinfo.algo,0)) == NULL) { ret = ERROR_MAKECERT; goto end3; } } There's no X509_set_notAfter in my called after I searched through it. For 'X509_gmtime_adj' all I get was: int RenewCertificate(X509 *old_x509,X509 ** new_x509,EVP_PKEY* pkey, int validity) { X509 *x = NULL; x=old_x509; char buf[512]; X509_gmtime_adj(X509_get_notBefore(x),0); X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*validity); ... ... } and void GenCRL(X509 *x509, EVP_PKEY *pkey, TStringList *ListRev, TStringList *ListSer, int SumList) { ... X509_gmtime_adj(ci-lastUpdate,0); if (ci-nextUpdate == NULL) ci-nextUpdate=ASN1_UTCTIME_new(); X509_gmtime_adj(ci-nextUpdate,(crldays*24+crlhours)*60*60); ... } Revoke do_revoke(X509 *x509) { ... revtm=X509_gmtime_adj(revtm,0); ... } but it was called inside the RenewCertificate, GenCrl and revoke function, and not IssueCertificate which is used to issue the cert, so I guess it must have no relation, right? Please correct me if i'm wrong. For ASN1_UTCTIME all I get was: Revoke do_revoke(X509 *x509) { revtm = ASN1_UTCTIME_new(); revtm=X509_gmtime_adj(revtm,0); rdate=(char *)OPENSSL_malloc(revtm-length+1); memcpy(rdate,revtm-data,revtm-length); ASN1_UTCTIME_free(revtm); } and void GenCRL(X509 *x509, EVP_PKEY *pkey, TStringList *ListRev, TStringList *ListSer, int SumList) { if (ci-nextUpdate == NULL) ci-nextUpdate=ASN1_UTCTIME_new(); X509_gmtime_adj(ci-nextUpdate,(crldays*24+crlhours)*60*60); } it seems here all the function that you mentioned are not called to generate the cert. I'm totally lost on what i should do now...? thanks a lot On 7/14/07, David Schwartz [EMAIL PROTECTED] wrote: thanks a lot for answering my question.. but is this the only way? it seems a bit overwhelming for me.. isn't there any other way? like any function we can call? Rather than risking you screwing up security-critical code, why don't you paste the part of the code that sets the validity and I'll post back the code modified as you need? Search for 'X509_set_notAfter', 'X509_gmtime_adj' and 'ASN1_UTCTIME' and with luck you should be able to find that chunk of code. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: newbie: set cert time validity
thanks a lot for answering my question.. but is this the only way? it seems a bit overwhelming for me.. isn't there any other way? like any function we can call? thanks On 7/13/07, Jim Fox [EMAIL PROTECTED] wrote: On Jul 12, 2007, at 9:29 PM, imin macho wrote: hi... i'm a noob in openssl.. my employee asked me to edit our c++ cert issuer engine developed using openssl. currently the cert generated will be valid based on the time we generate it. for example, if i generate a cert at 13 july 2007 1:30pm and set its validity for 5 days, the cert will be valid only till 18 july 2007 1:30 pm.. what should I do to make the cert valid till 11:59pm on that day? This is what my boss asked me to do.. please help.. any help is greatly appreciated. Cert signing routines generally set the not-before and not-after times relative to now. So you'll need to find a tie in seconds that represents midnight of some day. Then find the difference from that time to now. Do a UNIX man mktime. It describes several routines that manipulate a tm structure. Basically, you convert the current expire time to a tm struct, set the day to what you want, set the hour, minute, and second to maximum, and convert back to a time_t. Jim __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: newbie: set cert time validity
thanks a lot for answering my question.. but is this the only way? it seems a bit overwhelming for me.. isn't there any other way? like any function we can call? Rather than risking you screwing up security-critical code, why don't you paste the part of the code that sets the validity and I'll post back the code modified as you need? Search for 'X509_set_notAfter', 'X509_gmtime_adj' and 'ASN1_UTCTIME' and with luck you should be able to find that chunk of code. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: newbie: set cert time validity
On Jul 12, 2007, at 9:29 PM, imin macho wrote: hi... i'm a noob in openssl.. my employee asked me to edit our c++ cert issuer engine developed using openssl. currently the cert generated will be valid based on the time we generate it. for example, if i generate a cert at 13 july 2007 1:30pm and set its validity for 5 days, the cert will be valid only till 18 july 2007 1:30 pm.. what should I do to make the cert valid till 11:59pm on that day? This is what my boss asked me to do.. please help.. any help is greatly appreciated. Cert signing routines generally set the not-before and not-after times relative to now. So you'll need to find a tie in seconds that represents midnight of some day. Then find the difference from that time to now. Do a UNIX man mktime. It describes several routines that manipulate a tm structure. Basically, you convert the current expire time to a tm struct, set the day to what you want, set the hour, minute, and second to maximum, and convert back to a time_t. Jim __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: newbie installation problem - Makefile.org not found
Hi, Here's the Makefile.org (attachment). If you're downloading the complete source code, this file should have been included. Regards, --Endhy Makefile.org Description: Binary data
Re: newbie installation problem - Makefile.org not found
Hi, Endhy, Thank you so much for your help. Obviously I am missing a lot more files than just this one. I've found out the problem. What I did the first time was - I decompressed the file on Windows, transferred the tar file to AIX, then un-tar on AIX. Apparently a lot of files are lost in translation this way. If I unzip the file on Windows, then I get all the files. Peter Endhy Aziz [EMAIL PROTECTED] 6/25/2007 9:51 AM Hi, Here's the Makefile.org ( http://makefile.org/ ) (attachment). If you're downloading the complete source code, this file should have been included. Regards, --Endhy This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
Re: Newbie build question
Please ignore. My silly mistake. Got it to build. Sumati Gupta [EMAIL PROTECTED] wrote: Hi, This is a newbie question: I downloaded the openssl source and built libssl and libcrypto with the linux-debug-elf option. I removed the efence library from the make file since I don't have it. Now when I link the two libs with my app, I get a whole bunch of links errors like: /usr/lib/libssl.so: undefined reference to `BIO_puts@@OPENSSL_0.9.8' /usr/lib/libssl.so: undefined reference to `X509_VERIFY_PARAM_free@@OPENSSL_0.9.8' What am I doing wrong? I'd appreciate any help. - Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. - Choose the right car based on your needs. Check out Yahoo! Autos new Car Finder tool.
Re: Newbie questions
Much appreciated Endhy. Garyc --- Endhy Aziz [EMAIL PROTECTED] wrote: I wrote : One of the chapter, Designing With SSL may help . Should be : One of the chapter, Coding With SSL may help Regards, --Endhy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions
See SSL and TLS by Eric Rescorla. It describes SSL protocol completely, including how to program with SSL. One of the chapter, Designing With SSL may help you. --Endhy
Re: Newbie questions
I wrote : One of the chapter, Designing With SSL may help . Should be : One of the chapter, Coding With SSL may help Regards, --Endhy
RE: Newbie questions
Hi, I downloaded and installed open-ssl on a windows environment. I then used the openssl application to start the s_client and s_server. I ran the client and server with the following commands. I then attempted to connect my client to the s_server. I managed to connect to the server but failed to transmit data. Can anybody point me to a simple example I can use to get me rolling on this? I don't think this are any simple examples for OpenSSL ;-) The best bet IMHO is to buy a few books and read them thoroughly before attempting to anything. I have Network Security with OpenSSL, and SSL and TLS by Eric Rescorla. M __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie questions
Hey Mark, Yep I think your right. Ordered the Network Security with OpenSSL book. Thanks, Garyc --- Mark [EMAIL PROTECTED] wrote: Hi, I downloaded and installed open-ssl on a windows environment. I then used the openssl application to start the s_client and s_server. I ran the client and server with the following commands. I then attempted to connect my client to the s_server. I managed to connect to the server but failed to transmit data. Can anybody point me to a simple example I can use to get me rolling on this? I don't think this are any simple examples for OpenSSL ;-) The best bet IMHO is to buy a few books and read them thoroughly before attempting to anything. I have Network Security with OpenSSL, and SSL and TLS by Eric Rescorla. M __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions
I believe a PDF is available for free on the Internet. I googled for it a few weeks ago thinking I would find an abstract of it and instead found the entire book. Chaz On 5/23/07, gary clark [EMAIL PROTECTED] wrote: Hey Mark, Yep I think your right. Ordered the Network Security with OpenSSL book. Thanks, Garyc --- Mark [EMAIL PROTECTED] wrote: Hi, I downloaded and installed open-ssl on a windows environment. I then used the openssl application to start the s_client and s_server. I ran the client and server with the following commands. I then attempted to connect my client to the s_server. I managed to connect to the server but failed to transmit data. Can anybody point me to a simple example I can use to get me rolling on this? I don't think this are any simple examples for OpenSSL ;-) The best bet IMHO is to buy a few books and read them thoroughly before attempting to anything. I have Network Security with OpenSSL, and SSL and TLS by Eric Rescorla. M __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions
Hey Chas, You dont happen to know the link. Did a quick search and just got the pdf with just the first 5 chapters? Much appreciated, Garyc --- Chas. [EMAIL PROTECTED] wrote: I believe a PDF is available for free on the Internet. I googled for it a few weeks ago thinking I would find an abstract of it and instead found the entire book. Chaz On 5/23/07, gary clark [EMAIL PROTECTED] wrote: Hey Mark, Yep I think your right. Ordered the Network Security with OpenSSL book. Thanks, Garyc --- Mark [EMAIL PROTECTED] wrote: Hi, I downloaded and installed open-ssl on a windows environment. I then used the openssl application to start the s_client and s_server. I ran the client and server with the following commands. I then attempted to connect my client to the s_server. I managed to connect to the server but failed to transmit data. Can anybody point me to a simple example I can use to get me rolling on this? I don't think this are any simple examples for OpenSSL ;-) The best bet IMHO is to buy a few books and read them thoroughly before attempting to anything. I have Network Security with OpenSSL, and SSL and TLS by Eric Rescorla. M __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions
When I get back to my house this evening I will send you the file. Will that be alright? Chas. On 5/23/07, gary clark [EMAIL PROTECTED] wrote: Hey Chas, You dont happen to know the link. Did a quick search and just got the pdf with just the first 5 chapters? Much appreciated, Garyc --- Chas. [EMAIL PROTECTED] wrote: I believe a PDF is available for free on the Internet. I googled for it a few weeks ago thinking I would find an abstract of it and instead found the entire book. Chaz On 5/23/07, gary clark [EMAIL PROTECTED] wrote: Hey Mark, Yep I think your right. Ordered the Network Security with OpenSSL book. Thanks, Garyc --- Mark [EMAIL PROTECTED] wrote: Hi, I downloaded and installed open-ssl on a windows environment. I then used the openssl application to start the s_client and s_server. I ran the client and server with the following commands. I then attempted to connect my client to the s_server. I managed to connect to the server but failed to transmit data. Can anybody point me to a simple example I can use to get me rolling on this? I don't think this are any simple examples for OpenSSL ;-) The best bet IMHO is to buy a few books and read them thoroughly before attempting to anything. I have Network Security with OpenSSL, and SSL and TLS by Eric Rescorla. M __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions
Excellent Chas. Thanks, Garyc --- Chas. [EMAIL PROTECTED] wrote: When I get back to my house this evening I will send you the file. Will that be alright? Chas. On 5/23/07, gary clark [EMAIL PROTECTED] wrote: Hey Chas, You dont happen to know the link. Did a quick search and just got the pdf with just the first 5 chapters? Much appreciated, Garyc --- Chas. [EMAIL PROTECTED] wrote: I believe a PDF is available for free on the Internet. I googled for it a few weeks ago thinking I would find an abstract of it and instead found the entire book. Chaz On 5/23/07, gary clark [EMAIL PROTECTED] wrote: Hey Mark, Yep I think your right. Ordered the Network Security with OpenSSL book. Thanks, Garyc --- Mark [EMAIL PROTECTED] wrote: Hi, I downloaded and installed open-ssl on a windows environment. I then used the openssl application to start the s_client and s_server. I ran the client and server with the following commands. I then attempted to connect my client to the s_server. I managed to connect to the server but failed to transmit data. Can anybody point me to a simple example I can use to get me rolling on this? I don't think this are any simple examples for OpenSSL ;-) The best bet IMHO is to buy a few books and read them thoroughly before attempting to anything. I have Network Security with OpenSSL, and SSL and TLS by Eric Rescorla. M __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie Questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rocky S schrieb: 1) I have installed openssl sources. In the certs directory, there are various certificates. I looked at a couple of them - aol1.pem vsign1.pem. The vsign1.pem starts with [...] The aol1.pem directly starts with BEGIN_CERTIFICATE - i.e. it doesn't have the subject field the notBefore/notAfter. Why this difference between aol1.pem vsign1.pem? The differences are only cosmetically. The important part is between the -BEGIN CERTIFICATE- and - -END CERTIFICATE- lines. The other data is for humans to see what is between these lines... 2) I can run the command openssl x509 -hash -in [pem filename] on either of the pem files I get a hash (for eg. bda4cc84) for aol1.pem What exactly is being hashed here - is it the part between BEGIN_CERTIFICATE END_CERTIFICATE? The subject name of the certificate stored between the BEGIN... / END... lines. What hashing algorithm in being used? It is the first 4 bytes of the MD5 hash of the certificate subject name. 3) I have firefox installed on my machine. I go to tools - options - advanced- Encryption Tab. Then I click on view certificates. I get the certificate manager dialog with 4 tabs - Your certs, other people's certs, web sites authorites. All these 4 tabs have the Import Button. I am able to import aol1.pem etc using the import button on the last 2 tabs, but not the first 2 tabs. This indicates that firefox still has some issues handling certificates. These certificates are CA certificates (and for example aol1.pem clearly marked as one) so it should only be possible to import it in the authorities tab. Bye Goetz - -- DMCA: The greed of the few outweights the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGE4W12iGqZUF3qPYRAkPoAJ4g+FaXz63dkL6DlzXW9kwW4hpEqQCbB0Qf l+raxPF/NCktluLTFYf/B9Y= =Sr8E -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie assumptions questions
On Friday 23 February 2007 15:32:54 Bernhard Froehlich wrote: Bruno Costacurta schrieb: Hello, as a newbie, I have some assumptions / questions hereafter about OpenSSL and certificates. Many thanks to correct / confirm me. - a certificate is a public key with metadata - metadata contain mandatories (ie. subject and issuer) and optional parameters - there is no relation between the key algorithm (ie.RSA) and the format of the certificate (ie.PKCS#12) - a certificate can always be converted to another format - the certificate request (.csr) is obsolete (and so should be deleted) once the certificate is created by the CA - technically speaking a 'home-made' CA is egual to a 'professional' CA Almost 100% correct till here (PKCS#12 is not a format specific for certificates but a bag which can contain certificates, keys and probably other things). - the CA remains fully secure as long its private key remains undistributed / uncompromised ... and the key is strong enough not to be broken (brute force or otherwise). And your procedures are good enough that noone can trick you into issuing fake certificates. And many things more. So what you are saying is one important part of the truth, but you can probably spend a lifetime with the rest of it. - for a CA, files serial index files allows to maintain a (type of) database to persist which certificates (with related metadata values) were created by this CA Almost correct. The serial file has to make sure that there are no two certificates with the same serial number issued by the same CA. - serial information within the certificate is useless If you are still talking of only the serial number you are correct. But if you also know the issuing CA you can uniquely identify the certificate. A CRL (Certificate Revocation List) for example works by publishing the serial numbers which have been revoked by a CA and OCSP also tells you the status of a certificate if you only tell the (CA specific) responder the serial number. As far as I understand, the serial information within the certificate is only useful as a reference for the CA. This reference can be used by the CA to revoke the certificate. Is this correct ? Is there other action that can be made by the CA on a specific certificate (ie. renew, some metadata changes...) ? Thanks, Bruno - can a certificate contain more than one public key ? That beats me. I don't think the typical client (that is, a browser) can handle multiple keys of the subject if it would be possible to encode it. And I cannot think of possible uses for multiple keys in one certificate. Of course more public keys could be included as certificate extensions if you write your own sofware that does something with these extensions. Thanks for attention. Bye, Bruno Hope it helps. Ted ;) -- Bruno Costacurta PGP key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html Key fingerprint = 713F 7956 9441 7DEF 58ED 1951 7E07 569B 2E60 4D51 -- pgpB8RZB00mvt.pgp Description: PGP signature
Re: Newbie assumptions questions
Bruno Costacurta schrieb: [...] - serial information within the certificate is useless If you are still talking of only the serial number you are correct. But if you also know the issuing CA you can uniquely identify the certificate. A CRL (Certificate Revocation List) for example works by publishing the serial numbers which have been revoked by a CA and OCSP also tells you the status of a certificate if you only tell the (CA specific) responder the serial number. As far as I understand, the serial information within the certificate is only useful as a reference for the CA. This reference can be used by the CA to revoke the certificate. Is this correct ? Yes. Is there other action that can be made by the CA on a specific certificate (ie. renew, some metadata changes...) ? The CA may keep a database, indexed by the serial number, containing some information about the certificate (OpenSSL's CA command does this in the form of the index-file). So like you said the serial can help the CA to find metadata about a certificate, probably including the certificate itself (like in the OpenSSL CA). If the metadata contain the CSR (OpenSSL CA index does not) it would be possible to re-issue a certificate, possibly with modified metadata. Thanks, Bruno Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: Newbie assumptions questions
Bruno Costacurta schrieb: Hello, as a newbie, I have some assumptions / questions hereafter about OpenSSL and certificates. Many thanks to correct / confirm me. - a certificate is a public key with metadata - metadata contain mandatories (ie. subject and issuer) and optional parameters - there is no relation between the key algorithm (ie.RSA) and the format of the certificate (ie.PKCS#12) - a certificate can always be converted to another format - the certificate request (.csr) is obsolete (and so should be deleted) once the certificate is created by the CA - technically speaking a 'home-made' CA is egual to a 'professional' CA Almost 100% correct till here (PKCS#12 is not a format specific for certificates but a bag which can contain certificates, keys and probably other things). - the CA remains fully secure as long its private key remains undistributed / uncompromised ... and the key is strong enough not to be broken (brute force or otherwise). And your procedures are good enough that noone can trick you into issuing fake certificates. And many things more. So what you are saying is one important part of the truth, but you can probably spend a lifetime with the rest of it. - for a CA, files serial index files allows to maintain a (type of) database to persist which certificates (with related metadata values) were created by this CA Almost correct. The serial file has to make sure that there are no two certificates with the same serial number issued by the same CA. - serial information within the certificate is useless If you are still talking of only the serial number you are correct. But if you also know the issuing CA you can uniquely identify the certificate. A CRL (Certificate Revocation List) for example works by publishing the serial numbers which have been revoked by a CA and OCSP also tells you the status of a certificate if you only tell the (CA specific) responder the serial number. - can a certificate contain more than one public key ? That beats me. I don't think the typical client (that is, a browser) can handle multiple keys of the subject if it would be possible to encode it. And I cannot think of possible uses for multiple keys in one certificate. Of course more public keys could be included as certificate extensions if you write your own sofware that does something with these extensions. Thanks for attention. Bye, Bruno Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
RE: Newbie question
Unfortunately, I don't control the server and don't believe there is an SSL connection to that component, but other components will require an SSL connection. So using SSL for everything is not possible. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bertram Scharpf Sent: Wednesday, January 31, 2007 7:44 PM To: openssl-users@openssl.org Subject: Re: Newbie question Hi, Am Mittwoch, 31. Jan 2007, 13:02:13 -0500 schrieb Doug Kunzman: Can openssl be used for HTTP communication without using SSL if in the future we are going to SSL communication to our project? You should consider using SSL right from the start. There are loads of key generation howtos on the web. I'm running Apache on Gentoo here and it worked right from the start. Just say openssl s_client ... instead of telnet ... on the client side. I experienced handling sensitive data comes earlier than you might reckon and it's no mistake to be prepared in time. Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question
This is just a shot in the dark answer -- because I don't know of a way to use SSL without using SSL :) You can get a web-site project up and running using port 443 with a web-server (like apache), without using openSSL encryption on port 443 Then you can setup openSSL and your certs later and can encrypt communications over port 443. Bill Angus, MA http://www.psychtest.com - Original Message - From: Doug Kunzman To: openssl-users@openssl.org Sent: Wednesday, January 31, 2007 10:02 AM Subject: Newbie question Can openssl be used for HTTP communication without using SSL if in the future we are going to SSL communication to our project? Doug __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie question
All - I was looking for an interface or factory class like java has were you can switch between SocketFactory and SSLSocketFactory and both implement the Socket interface. Does this help? The port is no big deal but the low level asynchronous and sychrononous communication socket class seams like a problem that all ready been solved. Also, I'm a better Java programmer than C++ programmer does anyone know of a book that could help? Doug _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Angus Sent: Wednesday, January 31, 2007 2:43 PM To: openssl-users@openssl.org Subject: Re: Newbie question This is just a shot in the dark answer -- because I don't know of a way to use SSL without using SSL :) You can get a web-site project up and running using port 443 with a web-server (like apache), without using openSSL encryption on port 443 Then you can setup openSSL and your certs later and can encrypt communications over port 443. Bill Angus, MA http://www.psychtest.com - Original Message - From: Doug mailto:[EMAIL PROTECTED] Kunzman To: openssl-users@openssl.org Sent: Wednesday, January 31, 2007 10:02 AM Subject: Newbie question Can openssl be used for HTTP communication without using SSL if in the future we are going to SSL communication to our project? Doug __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie Needs Help!!!
Hello, When I do that, I now get: RAPTOR_$ openssl s_client -connect adtest:636 -CAfile certnew.pem CONNECTED(0003) depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=adtest.altdomain2000.psccos.com i:/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca Get server certificate (lets say server_cert.pem) and execute: $ openssl verify -CAfile certnew.pem server_cert.pem if this will return success, s_client will verify successfully this server cert too. Next information, certnew.pem should have CA cert from: C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie Needs Help!!!
Hi Dan, In message [EMAIL PROTECTED] on Mon, 25 Sep 2006 09:50:32 -0600, Dan O'Reilly [EMAIL PROTECTED] said: dano My CA is another system (Windows) and I requested it to create dano the trusted root certificate in PKCS7 format, which I copied to dano my VMS system. I can use OPENSSL PKCS7 to view the package dano contents, and it contains a single certificate. I then tried to dano do an OPENSSL VERIFY on that package, and it keeps coming up dano with NO START LINE and EXPECTING: TRUSTED CERTIFICATE dano errors. Finally, I tried openssl s_clienit -connect dano mydomain:636 -certfore der -CAfile pkcs7 package dano and it comes up with the following: You need to extract the certificate from that PKCS#7 package and use the resulting file. Since OPENSSL PKCS7 will give you the certificate in PEM format, the best you can probably do is save that in a .PEM file, and then use it as follows: openssl s_client -connect yourdomain:636 -CAfile certfile.PEM Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie Needs Help!!!
When I do that, I now get: RAPTOR_$ openssl s_client -connect adtest:636 -CAfile certnew.pem CONNECTED(0003) depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=adtest.altdomain2000.psccos.com i:/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca --- Server certificate stuff deleted for brevity subject=/CN=adtest.altdomain2000.psccos.com issuer=/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca --- Acceptable client certificate CA names a bunch of CA's listed, but NOT the local CA that issued the cert --- SSL handshake has read 3950 bytes and written 342 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 Session-ID: AF0AC37F50DE8F069E626AF23D763831B871E78B7AD0886FB042B6731262 Session-ID-ctx: Master-Key: BB25F868F436649E68039E54D6F712E3AFDB6E523DA3A0FB0E16A9470F9D3CCE 0379BC95A59325993587E6DC2680224B Key-Arg : None Start Time: 1159402472 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- bad select 38 I obviously have the wrong certificates, but I have no idea (as should also be obvious) what certificates I really do need. The file I used as input to the -CAfile switch is the CA Certification Path as downloaded from the Windows box that runs the CA, and that I converted to PEM format. There's something not kosher about that certificate, but darned if I have any idea what. Any more suggestions? At 03:39 PM 9/27/2006, Richard Levitte - VMS Whacker wrote: Hi Dan, In message [EMAIL PROTECTED] on Mon, 25 Sep 2006 09:50:32 -0600, Dan O'Reilly [EMAIL PROTECTED] said: dano My CA is another system (Windows) and I requested it to create dano the trusted root certificate in PKCS7 format, which I copied to dano my VMS system. I can use OPENSSL PKCS7 to view the package dano contents, and it contains a single certificate. I then tried to dano do an OPENSSL VERIFY on that package, and it keeps coming up dano with NO START LINE and EXPECTING: TRUSTED CERTIFICATE dano errors. Finally, I tried openssl s_clienit -connect dano mydomain:636 -certfore der -CAfile pkcs7 package dano and it comes up with the following: You need to extract the certificate from that PKCS#7 package and use the resulting file. Since OPENSSL PKCS7 will give you the certificate in PEM format, the best you can probably do is save that in a .PEM file, and then use it as follows: openssl s_client -connect yourdomain:636 -CAfile certfile.PEM Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- +---++ | Dan O'Reilly | There are 10 types of people in this | | Principal Engineer| world: those who understand binary | | Process Software | and those who don't.| | http://www.process.com|| +---++ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie Needs Help!!!
Hello, Trying to use OpenSSL 0.9.8 on a VMS system. Specifically, I'm having problems using OpenSSL underneath OpenLDAP to talk to another non-OpenLDAP system and can't get THAT to work. It's been suggested that I use OPENSSL S_CLIENT to ensure my basic certificates are correct. My CA is another system (Windows) and I requested it to create the trusted root certificate in PKCS7 format, which I copied to my VMS system. I can use OPENSSL PKCS7 to view the package contents, and it contains a single certificate. I then tried to do an OPENSSL VERIFY on that package, and it keeps coming up with NO START LINE and EXPECTING: TRUSTED CERTIFICATE errors. Finally, I tried openssl s_clienit -connect mydomain:636 -certfore der -CAfile pkcs7 package and it comes up with the following: s_client uses PEM certificate list, try to convert this: $ openssl pkcs7 -in CA.p7b -inform der -print_certs CA.pem and then use CA.pem in CAfile parameter. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [NEWBIE] trying to convert DER file to PEM one
tizon wrote: Dear OpenSLL users, first of all, let me point out that I'm a total newbie in the area of encryption. So maybe, my question could sound stupid ... I'm using OpenSSL 0.9.8a-7build1 on Kubuntu Dapper. And i just would like to create a PEM certificat file with two DER encrypted file(i need to do that for my wifi setup). Before all, i've verified that i can read this file with the following command: openssl x509 -inform DER -in FILE.cer -noout -text Then i've tried the following command(to convert the file): openssl rsa -inform DER -outform PEM -in FILE.cer -out FILE.pem [...] Try using openssl x509 -inform DER -outform PEM -in FILE.cer -out FILE.pem (not openssl rsa ...) to convert the file. See http://www.openssl.org/docs/apps/x509.html Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: newbie in need for hints
Hello, In particular, having a separate certificate for each of the servers (desktop systems) really could be problematic considering the number of them, although having one for each client (print servers) could be feasible. If you control all this - this may be acceptable. Someone suggested to me that I use stunnel on both sides. Could this be the solution ? Yes. Since I entirely control the code on both the client and server sides, is there a simpler solution that could be implemented ? If you control your code better solution might be writing your own SSL layer in application. But this will be more complicated then using stunnel, but you will have better control on any SSL aspects and better integration with your application. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: newbie in need for hints
On Tue, Jun 13, 2006 at 09:20:04AM +0200, Marek Marcola wrote: Hello, In particular, having a separate certificate for each of the servers (desktop systems) really could be problematic considering the number of them, although having one for each client (print servers) could be feasible. If you control all this - this may be acceptable. No, I control the code on both sides, but not each site which want to install/use the software. I'd like to impose a minimal burden on the people who will manage each site. Someone suggested to me that I use stunnel on both sides. Could this be the solution ? Yes. The problem with this is that from what I understand stunnel still needs a certificate on the server side, so we are back to having to create/purchase/manage possibly thousands of certificates, which is entirely impractical, unless running all servers with the same certificate is possible. Is it ? (again I don't really care if a server really is the server it pretends to be, I only want to be sure that the client is the client it pretends to be). Any other solution or hint ? bye Jerome Alet __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: newbie in need for hints
Hello, The problem with this is that from what I understand stunnel still needs a certificate on the server side, so we are back to having to create/purchase/manage possibly thousands of certificates, which is entirely impractical, unless running all servers with the same certificate is possible. Is it ? Yes, it is. (again I don't really care if a server really is the server it pretends to be, I only want to be sure that the client is the client it pretends to be). So you may have one certificate for servers (like you said - server verification is not important) and certificates for every client. And on server you should enable client authentication (via SSL). This is of course one of possible solution. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.
Thanks Kyle. I had not been aware of the registration authority option. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Hamilton Sent: Monday, 3 April 2006 2:21 p.m. To: openssl-users@openssl.org Subject: Re: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco. On 4/2/06, Davidson, Brett (Managed Services) [EMAIL PROTECTED] wrote: I can set the Cisco certificate to authenticate to the W2K domain. That's reasonably simple. Deciding what to do about things after that gets a little interesting but that's another topic... :-) The anonymous connection requirements for expired passwords I understand but surely that's just a case of allowing access to the certificate server on the appropriate ports? (port 80 if web-based authentication is used, for instance)? If an account (or its password) is expired, it cannot authenticate. That's part of the problem, and the only way to change it is to allow anonymous RPC connections. I have read that Windows will not support port-based IPSec rules but that won't apply in this case. I'm not sure what you mean by port-based IPSec rules -- it does allow for the creation of policy that states that traffic, incoming or outgoing, over a given port or set of ports, MUST be IPsec'd. I wasn't thinking of using the Suse server as a passthrough for webclient certificate generation; as you surmise I suspect that would be more trouble than it's worth. There's enough written about how it's clumsy with ISA server to put me off that. I was considering using the Suse server as a certificate issuer in it's own right backed by a higher-level certificate on the W2K machine. (I don't want web users to authenticate on the domain; at least that's not a requirement yet, and if so, that should still be possible depending on the type of certificate issued by the W2K machine). There are two ways that you could do this -- have the webserver be a registration authority, i.e. it accepts CSRs from clients and sends them on to the certifying authority. Or, you can have it be an issuer in its own right, which will require that it have a certificate which is authorized to be a CA (ca:true, maxDepth=[something greater than 1]) by signing its certificate with the W2K CA in a CA mode. (The idea being that anything signed by the CA is authenticated by that CA.) -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.
The Cisco also needs to be exempted from the authenticated domain members rule, unless you can set its identifying certificate up as authenticatable to the domain. (You are authenticating against the Windows 2000 domain, correct?) There are known issues with restricting access to known machines only. See the Microsoft knowledge base for details. (Primarily, computers can't change their account passwords, users can't change their passwords after they expire, since that requires an anonymous connection, and a couple other things that are fairly annoying.) 'subordinate certificates to web clients'? Do you mean end-user TLS authentication certificates? If so... It should be possible to set up Certificate Services on a domain controller, then create a new Certificate Policy that will allow you to create a subordinate CA. Then, create an LDAP client (to run on the webserver) that has a certificate or other means to authenticate as something has permission to modify user attributes, specifically user-certificate. While it should theoretically be possible to send CSRs and then certificates through the Apache (SuSE) server via mod_proxy, I'm not entirely certain how the interactions between the domain server and the client would work in that case. Hire me as a consultant, and I can help more? ;) -Kyle H On 4/2/06, Davidson, Brett (Managed Services) [EMAIL PROTECTED] wrote: First some background. First issue: I'm wanting to establish certificate-driven, IPSec-based authentication and access on my local LAN. Participants are mainly Windows XP machines (including some laptops via wireless access points which started this process) and a SUSE Linux webserver. The current Windows 2000 server will have Group Policies implemented restricting access to authenticated domain members. (Obviously, the webserver will be excluded from some of these policies). Essentially. access to the domain and the domainserver should be restricted to known machines. What also needs to occur is that these same known machines require internet access via a Cisco 800 series router. (thus the same IPsec policies on the domain need to be applied as authentication-only policies on the router). Incoming traffic (as distinct from return traffic) needs to be allowed to the webserver. Second issue is that I wish the Linux webserver to be able to distribute subordinate certificates to web clients. Started to look at the planning for this and my brain started to hurt. Anyone tried this and can share some gotchas, do's and don'ts? Regards, Brett Davidson __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.
I take it that the easiest solution is to establish a certificate-authenticated VPN instead then? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Hamilton Sent: Monday, 3 April 2006 11:26 a.m. To: openssl-users@openssl.org Subject: Re: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco. The Cisco also needs to be exempted from the authenticated domain members rule, unless you can set its identifying certificate up as authenticatable to the domain. (You are authenticating against the Windows 2000 domain, correct?) There are known issues with restricting access to known machines only. See the Microsoft knowledge base for details. (Primarily, computers can't change their account passwords, users can't change their passwords after they expire, since that requires an anonymous connection, and a couple other things that are fairly annoying.) 'subordinate certificates to web clients'? Do you mean end-user TLS authentication certificates? If so... It should be possible to set up Certificate Services on a domain controller, then create a new Certificate Policy that will allow you to create a subordinate CA. Then, create an LDAP client (to run on the webserver) that has a certificate or other means to authenticate as something has permission to modify user attributes, specifically user-certificate. While it should theoretically be possible to send CSRs and then certificates through the Apache (SuSE) server via mod_proxy, I'm not entirely certain how the interactions between the domain server and the client would work in that case. Hire me as a consultant, and I can help more? ;) -Kyle H On 4/2/06, Davidson, Brett (Managed Services) [EMAIL PROTECTED] wrote: First some background. First issue: I'm wanting to establish certificate-driven, IPSec-based authentication and access on my local LAN. Participants are mainly Windows XP machines (including some laptops via wireless access points which started this process) and a SUSE Linux webserver. The current Windows 2000 server will have Group Policies implemented restricting access to authenticated domain members. (Obviously, the webserver will be excluded from some of these policies). Essentially. access to the domain and the domainserver should be restricted to known machines. What also needs to occur is that these same known machines require internet access via a Cisco 800 series router. (thus the same IPsec policies on the domain need to be applied as authentication-only policies on the router). Incoming traffic (as distinct from return traffic) needs to be allowed to the webserver. Second issue is that I wish the Linux webserver to be able to distribute subordinate certificates to web clients. Started to look at the planning for this and my brain started to hurt. Anyone tried this and can share some gotchas, do's and don'ts? Regards, Brett Davidson __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.
I can set the Cisco certificate to authenticate to the W2K domain. That's reasonably simple. Deciding what to do about things after that gets a little interesting but that's another topic... :-) The anonymous connection requirements for expired passwords I understand but surely that's just a case of allowing access to the certificate server on the appropriate ports? (port 80 if web-based authentication is used, for instance)? I have read that Windows will not support port-based IPSec rules but that won't apply in this case. I wasn't thinking of using the Suse server as a passthrough for webclient certificate generation; as you surmise I suspect that would be more trouble than it's worth. There's enough written about how it's clumsy with ISA server to put me off that. I was considering using the Suse server as a certificate issuer in it's own right backed by a higher-level certificate on the W2K machine. (I don't want web users to authenticate on the domain; at least that's not a requirement yet, and if so, that should still be possible depending on the type of certificate issued by the W2K machine). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Hamilton Sent: Monday, 3 April 2006 11:26 a.m. To: openssl-users@openssl.org Subject: Re: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco. The Cisco also needs to be exempted from the authenticated domain members rule, unless you can set its identifying certificate up as authenticatable to the domain. (You are authenticating against the Windows 2000 domain, correct?) There are known issues with restricting access to known machines only. See the Microsoft knowledge base for details. (Primarily, computers can't change their account passwords, users can't change their passwords after they expire, since that requires an anonymous connection, and a couple other things that are fairly annoying.) 'subordinate certificates to web clients'? Do you mean end-user TLS authentication certificates? If so... It should be possible to set up Certificate Services on a domain controller, then create a new Certificate Policy that will allow you to create a subordinate CA. Then, create an LDAP client (to run on the webserver) that has a certificate or other means to authenticate as something has permission to modify user attributes, specifically user-certificate. While it should theoretically be possible to send CSRs and then certificates through the Apache (SuSE) server via mod_proxy, I'm not entirely certain how the interactions between the domain server and the client would work in that case. Hire me as a consultant, and I can help more? ;) -Kyle H On 4/2/06, Davidson, Brett (Managed Services) [EMAIL PROTECTED] wrote: First some background. First issue: I'm wanting to establish certificate-driven, IPSec-based authentication and access on my local LAN. Participants are mainly Windows XP machines (including some laptops via wireless access points which started this process) and a SUSE Linux webserver. The current Windows 2000 server will have Group Policies implemented restricting access to authenticated domain members. (Obviously, the webserver will be excluded from some of these policies). Essentially. access to the domain and the domainserver should be restricted to known machines. What also needs to occur is that these same known machines require internet access via a Cisco 800 series router. (thus the same IPsec policies on the domain need to be applied as authentication-only policies on the router). Incoming traffic (as distinct from return traffic) needs to be allowed to the webserver. Second issue is that I wish the Linux webserver to be able to distribute subordinate certificates to web clients. Started to look at the planning for this and my brain started to hurt. Anyone tried this and can share some gotchas, do's and don'ts? Regards, Brett Davidson __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.
On 4/2/06, Davidson, Brett (Managed Services) [EMAIL PROTECTED] wrote: I can set the Cisco certificate to authenticate to the W2K domain. That's reasonably simple. Deciding what to do about things after that gets a little interesting but that's another topic... :-) The anonymous connection requirements for expired passwords I understand but surely that's just a case of allowing access to the certificate server on the appropriate ports? (port 80 if web-based authentication is used, for instance)? If an account (or its password) is expired, it cannot authenticate. That's part of the problem, and the only way to change it is to allow anonymous RPC connections. I have read that Windows will not support port-based IPSec rules but that won't apply in this case. I'm not sure what you mean by port-based IPSec rules -- it does allow for the creation of policy that states that traffic, incoming or outgoing, over a given port or set of ports, MUST be IPsec'd. I wasn't thinking of using the Suse server as a passthrough for webclient certificate generation; as you surmise I suspect that would be more trouble than it's worth. There's enough written about how it's clumsy with ISA server to put me off that. I was considering using the Suse server as a certificate issuer in it's own right backed by a higher-level certificate on the W2K machine. (I don't want web users to authenticate on the domain; at least that's not a requirement yet, and if so, that should still be possible depending on the type of certificate issued by the W2K machine). There are two ways that you could do this -- have the webserver be a registration authority, i.e. it accepts CSRs from clients and sends them on to the certifying authority. Or, you can have it be an issuer in its own right, which will require that it have a certificate which is authorized to be a CA (ca:true, maxDepth=[something greater than 1]) by signing its certificate with the W2K CA in a CA mode. (The idea being that anything signed by the CA is authenticated by that CA.) -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [Newbie] Conversion PEM -- DER (pkcs7) fails with demo certificate
Olaf Gellert wrote: Rainer Menzner wrote: 2) Create a binary encoded DER file as a public certificate: openssl.exe pkcs7 -inform PEM -outform DER -in pca-cert.pem -out test1.cer -text Well, what do you need? If you just want a DER file for a single certificate, just use: openssl x509 -in pca-cert.pem -outform DER -out pca-cert.cer yes, that's exactly what I was looking for. Thanks for your response and best regards, -Rainer Pkcs7 is more a utility to view PKCS7 files (which can contain more than one certificate). To build pkcs7-files you have to use the openssl utility crl2pkcs7. This one is a little bit funny: use it like this (untested): openssl crl2pkcs7 -certfile file1.pem -certfile file2.pem -out certs.pkcs7 -nocrl Crazy thing to use crl2pkcs7 with argument -nocrl ... :-) Olaf __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [Newbie] Conversion PEM -- DER (pkcs7) fails with demo certificate
Rainer Menzner wrote: 2) Create a binary encoded DER file as a public certificate: openssl.exe pkcs7 -inform PEM -outform DER -in pca-cert.pem -out test1.cer -text Well, what do you need? If you just want a DER file for a single certificate, just use: openssl x509 -in pca-cert.pem -outform DER -out pca-cert.cer Pkcs7 is more a utility to view PKCS7 files (which can contain more than one certificate). To build pkcs7-files you have to use the openssl utility crl2pkcs7. This one is a little bit funny: use it like this (untested): openssl crl2pkcs7 -certfile file1.pem -certfile file2.pem -out certs.pkcs7 -nocrl Crazy thing to use crl2pkcs7 with argument -nocrl ... :-) Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
Some problems w/reverse DNS prevented posting this until now. On Wed, Dec 28, 2005 at 07:12:30PM +0100, Dr. Stephen Henson wrote: On Wed, Dec 28, 2005, George Garvey wrote: I'm having a very similar problem as this one. I have a file I made from data sent from an AS2 system. The HTTP headers before the data are (abbreviated to the S/MIME stuff): Subject: EDIINTDATA Message-Id: [EMAIL PROTECTED] Disposition-Notification-To: inXServices Disposition-Notification-Options: signed-receipt-protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Disposition: inline; filename=smime.p7m Content-Length: 1334 I saved the 1334 bytes after the blank line following the Content-Length to a file. I can't seem to use that file with OpenSSL. You should be able to use the smime utility on the whole message including headers for example: openssl smime -verify -in message or to output a standard PKCS#7 structure in PEM format: openssl smime -pk7out -in message then the standard pkcs7 utility should tolerate it. Captured the HTTP post. Tried -verify as above: openssl smime -verify -in src/fo/van/as2/inbound/2005-12-28:12:10:47 Error reading S/MIME message 6747:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: 6747:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142: 6747:error:2107A08B:PKCS7 routines:SMIME_read_PKCS7:pkcs7 parse error:pk7_mime.c:315: __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
Some problems w/reverse DNS prevented posting this until now. On Wed, Dec 28, 2005 at 07:12:30PM +0100, Dr. Stephen Henson wrote: On Wed, Dec 28, 2005, George Garvey wrote: I'm having a very similar problem as this one. I have a file I made from data sent from an AS2 system. The HTTP headers before the data are (abbreviated to the S/MIME stuff): Subject: EDIINTDATA Message-Id: [EMAIL PROTECTED] Disposition-Notification-To: inXServices Disposition-Notification-Options: signed-receipt-protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Disposition: inline; filename=smime.p7m Content-Length: 1334 I saved the 1334 bytes after the blank line following the Content-Length to a file. I can't seem to use that file with OpenSSL. You should be able to use the smime utility on the whole message including headers for example: openssl smime -verify -in message or to output a standard PKCS#7 structure in PEM format: openssl smime -pk7out -in message then the standard pkcs7 utility should tolerate it. Captured the HTTP post. Tried -verify as above: openssl smime -verify -in src/fo/van/as2/inbound/2005-12-28:12:10:47 Error reading S/MIME message 6747:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: 6747:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142: 6747:error:2107A08B:PKCS7 routines:SMIME_read_PKCS7:pkcs7 parse error:pk7_mime.c:315: __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
On Mon, Jan 02, 2006, George Garvey wrote: Some problems w/reverse DNS prevented posting this until now. On Wed, Dec 28, 2005 at 07:12:30PM +0100, Dr. Stephen Henson wrote: On Wed, Dec 28, 2005, George Garvey wrote: I'm having a very similar problem as this one. I have a file I made from data sent from an AS2 system. The HTTP headers before the data are (abbreviated to the S/MIME stuff): Subject: EDIINTDATA Message-Id: [EMAIL PROTECTED] Disposition-Notification-To: inXServices Disposition-Notification-Options: signed-receipt-protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Disposition: inline; filename=smime.p7m Content-Length: 1334 I saved the 1334 bytes after the blank line following the Content-Length to a file. I can't seem to use that file with OpenSSL. You should be able to use the smime utility on the whole message including headers for example: openssl smime -verify -in message or to output a standard PKCS#7 structure in PEM format: openssl smime -pk7out -in message then the standard pkcs7 utility should tolerate it. Captured the HTTP post. Tried -verify as above: openssl smime -verify -in src/fo/van/as2/inbound/2005-12-28:12:10:47 Error reading S/MIME message 6747:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: 6747:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142: 6747:error:2107A08B:PKCS7 routines:SMIME_read_PKCS7:pkcs7 parse error:pk7_mime.c:315: Can you send the message (privately to me if you want) that is producing that error? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
On Mon, Jan 02, 2006, Dr. Stephen Henson wrote: On Mon, Jan 02, 2006, George Garvey wrote: Some problems w/reverse DNS prevented posting this until now. On Wed, Dec 28, 2005 at 07:12:30PM +0100, Dr. Stephen Henson wrote: On Wed, Dec 28, 2005, George Garvey wrote: You should be able to use the smime utility on the whole message including headers for example: openssl smime -verify -in message or to output a standard PKCS#7 structure in PEM format: openssl smime -pk7out -in message then the standard pkcs7 utility should tolerate it. Captured the HTTP post. Tried -verify as above: openssl smime -verify -in src/fo/van/as2/inbound/2005-12-28:12:10:47 Error reading S/MIME message 6747:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: 6747:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142: 6747:error:2107A08B:PKCS7 routines:SMIME_read_PKCS7:pkcs7 parse error:pk7_mime.c:315: Can you send the message (privately to me if you want) that is producing that error? Ah I can see the problem. The current MIME parser (wrongly) assumes the transfer encoding will always be base64. A possible fix (haven't got round to checking this yet) is in RT id #1261. Alternatively if you just save the content excluding the headers to a file you can use the -inform DER option to the 'smime' utility. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie question X509 certificate stores SOLVED
There seems to be a problem with whatever has been used to save the data. It is prepending the byte 0, 1 to the start of the structure. If you skip these OpenSSL has no problems parsing the PKCS#7 data. Worked a treat. I downloaded an older version of the PKZIP application note, and everything became clear. The mysterious two bytes at the beginning are the version number (I assume of the version of M$ CryptoAPI used to create the store). I very vaguely remember something about it now, but I am using a newer version of PKZIPs Appnote, which for some reason omits this info. Kicking myself now. Thank you for all your help. Regards, Chris smime.p7s Description: S/MIME cryptographic signature
RE: Newbie question X509 certificate stores
What do you mean fails to open the store? What does the data look like that you are feeding into d2i_PKCS7()? Doies it have lines with -BEGIN in it? I cannot find this anywhere in the data. If the data is available as a file try: openssl pkcs7 -in file -inform DER openssl pkcs7 -in file and if both of those fail: openssl asn1parse -inform DER -in file I have saved the data blob to a file (which I have attached to the posting). All of the above commands fail with the same errors as d2i_PKCS7(). The asn1parse command complains about a bad Boolean. I am stumped here. Chris cert_store_data Description: Binary data
Re: Newbie question X509 certificate stores
On Wed, Dec 28, 2005, Chris Morrison wrote: What do you mean fails to open the store? What does the data look like that you are feeding into d2i_PKCS7()? Doies it have lines with -BEGIN in it? I cannot find this anywhere in the data. If the data is available as a file try: openssl pkcs7 -in file -inform DER openssl pkcs7 -in file and if both of those fail: openssl asn1parse -inform DER -in file I have saved the data blob to a file (which I have attached to the posting). All of the above commands fail with the same errors as d2i_PKCS7(). The asn1parse command complains about a bad Boolean. I am stumped here. There seems to be a problem with whatever has been used to save the data. It is prepending the byte 0, 1 to the start of the structure. If you skip these OpenSSL has no problems parsing the PKCS#7 data. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
I'm having a very similar problem as this one. I have a file I made from data sent from an AS2 system. The HTTP headers before the data are (abbreviated to the S/MIME stuff): Subject: EDIINTDATA Message-Id: [EMAIL PROTECTED] Disposition-Notification-To: inXServices Disposition-Notification-Options: signed-receipt-protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Disposition: inline; filename=smime.p7m Content-Length: 1334 I saved the 1334 bytes after the blank line following the Content-Length to a file. I can't seem to use that file with OpenSSL. On Wed, Dec 28, 2005 at 12:45:18AM +0100, Dr. Stephen Henson wrote: What does the data look like that you are feeding into d2i_PKCS7()? Doies it have lines with -BEGIN in it? No. If the data is available as a file try: openssl pkcs7 -in file -inform DER openssl pkcs7 -inform DER -in src/fo/van/as2/msg.enc unable to load PKCS7 object 23182:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:946: 23182:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=PKCS7 openssl pkcs7 -in file openssl pkcs7 -in src/fo/van/as2/msg.enc unable to load PKCS7 object 23183:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:637:Expecting: PKCS7 and if both of those fail: openssl asn1parse -inform DER -in file openssl asn1parse -inform DER -in src/fo/van/as2/msg.enc 0:d=0 hl=2 l= 10 prim: EOC There are also some proprietary store outputs from CryptoAPI which can be produced which OpenSSL cannot handle. Steve. Supposedly the public key produced is X.509. However, I can't read that with OpenSSL, either. I an read the private key (which is documented by the AS2 software as PKS#1 RSA private key -- I assume they mean PKCS#1). I can provide the file to anyone who can assist with this. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
On Wed, Dec 28, 2005, George Garvey wrote: I'm having a very similar problem as this one. I have a file I made from data sent from an AS2 system. The HTTP headers before the data are (abbreviated to the S/MIME stuff): Subject: EDIINTDATA Message-Id: [EMAIL PROTECTED] Disposition-Notification-To: inXServices Disposition-Notification-Options: signed-receipt-protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Disposition: inline; filename=smime.p7m Content-Length: 1334 I saved the 1334 bytes after the blank line following the Content-Length to a file. I can't seem to use that file with OpenSSL. You should be able to use the smime utility on the whole message including headers for example: openssl smime -verify -in message or to output a standard PKCS#7 structure in PEM format: openssl smime -pk7out -in message then the standard pkcs7 utility should tolerate it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie question X509 certificate stores
-Original Message- From: [EMAIL PROTECTED] [mailto:owner-openssl- [EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: 13 August 2005 17:44 To: openssl-users@openssl.org Subject: Re: Newbie question X509 certificate stores On Sat, Aug 13, 2005, Chris Morrison wrote: Michael wrote: Hi Chris, What type of keystores are you talking about here? (pkcs#12?) It's a PKCS#7 store, I am trying to read the certificate store from a digitally signed ZIP file. I have done it with no probs in VC++ using Microsoft's CryptoAPI, you just read the data into a buffer, which you use to create a CRYPT_DATA_BLOB object that can be passed to the CertOpenStore() function. I cannot see how to do this in openSSL, assuming that it can be done. Ah now that's a different thing entirely. CryptoAPI for its own reasons decides to allow parsing of certificates only PKCS#7 data using its certficate store functions. OpenSSL instead allows PKCS#7 data to be converted to an internal structure called PKCS7 which contains the details of the parsed data. If the relevant data is in memory d2i_PKCS7() will create the structure. From then on you can follow the code which is called with the print_certs function in apps/pkcs7.c. I've finally found time to get back to this project. Thanks for the pointers Steve. However, I've tried using the above call d2i_PKCS7(), but it fails to open the store with the errors below. 4777:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:946: 4777:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=PKCS7 What are these supposed to mean? When is there going to be some documentation for the API of OpenSSL? Chris smime.p7s Description: S/MIME cryptographic signature
Re: Newbie question X509 certificate stores
On Tue, Dec 27, 2005, Chris Morrison wrote: I've finally found time to get back to this project. Thanks for the pointers Steve. However, I've tried using the above call d2i_PKCS7(), but it fails to open the store with the errors below. 4777:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:946: 4777:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=PKCS7 What do you mean fails to open the store? What does the data look like that you are feeding into d2i_PKCS7()? Doies it have lines with -BEGIN in it? If the data is available as a file try: openssl pkcs7 -in file -inform DER openssl pkcs7 -in file and if both of those fail: openssl asn1parse -inform DER -in file There are also some proprietary store outputs from CryptoAPI which can be produced which OpenSSL cannot handle. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie dev problems: EVP_DecryptFinal:wrong final block length
On Wed, Nov 23, 2005, roro GRONAN wrote: Hi everybody, i'm new with the openssl libs (0.9.8a), I try to develop a program wich need to produce a file that can be decrypted with the openssl command line tool. i choosed des_ede3_cbc as the syemtric algorithm. the encryption part of my code is given at the end of this post. I verified with my debugger that the key/iv generated via EVP_BytesToKey () is the same via my program and with the openssl comand line tool. the file crypted with my program and with the openssl comand line tool doesn't have many diffence (but they differs!) I inspected the first 384 bytes of a 2 854 802 byte long file with a binary editor. It show that at the offset 0x45 on my file there is one byte added (0x0d) and at the offset 0x4d there is also another 0x0d added that's all for the first 384 bytes! I tryed with a 128 byte buffer and a 512 byte buffer I obtained exactly the same output... 0x0d in ASCII is the CR character which points to something not being in binary mode... err += fopen_s(fpCryptFile,argv[5], w); So have you tried wb mode in the line above? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
So many replies. I don't know where to start. Chris Morrison wrote: Hi all, I have recently moved over to Linux, having rid my computer of the M $.Windows virus. I am porting a program that I wrote over to Linux and I am looking for a library to provide X509 digital certificate functions. Micro$oft provide a function in their CryptoAPI called CertOpenStore() which allows you to open a digital certificate store from a file or memory. Is there such a function under OpenSSL? It look like a great library but the lack of documentation on the API (that I can find) is a major drag. Regards, Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
Hi Chris, What type of keystores are you talking about here? (pkcs#12?) Michael. On 8/13/05, Chris Morrison [EMAIL PROTECTED] wrote: So many replies. I don't know where to start. Chris Morrison wrote: Hi all, I have recently moved over to Linux, having rid my computer of the M $.Windows virus. I am porting a program that I wrote over to Linux and I am looking for a library to provide X509 digital certificate functions. Micro$oft provide a function in their CryptoAPI called CertOpenStore() which allows you to open a digital certificate store from a file or memory. Is there such a function under OpenSSL? It look like a great library but the lack of documentation on the API (that I can find) is a major drag. Regards, Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie SSL_write question
Thanks for Jagannadha and David for their replies and help with this. I delved into the server-side of the code yesterday and found the fault (luckily it's someone elses!). Basically the server wasn't using select and fd_set/fd_isset correctly, and was terminating the socket after 32k of recieved data. Still, I've learnt a lot from David and Jagannadha, thanks again for taking the time to reply to my post. Michael. On 8/12/05, Jagannadha Bhattu Gosukonda [EMAIL PROTECTED] wrote: Call ERR_clear_error() before while loop and call ERR_get_error_line_data in a loop till it returns 0 inside SSL_ERROR_SYSCALL case. This may give you some idea on what went wrong. JB On 8/11/05, Michael [EMAIL PROTECTED] wrote: On 8/11/05, David Schwartz [EMAIL PROTECTED] wrote: snip My code uses blocking sockets, has the SSL_CTX SSL_MODE_ENABLE_PARTIAL_WRITE option set and loops on the ssl_read but the socket is closed after the first 32k is sent. Why, if a message block size is 16k, does the first 32k of a message get written/read, then the socket dropped? snip Give us example code or more detailed information about what you mean by the socket dropped and how you determined that. My bet is simply that there's a bug in your code. With non-blocking sockets, you have to test the return value of SSL_read and properly handle partial or failed sends. You may get a failed send if there was insufficient space to fit a single block of protocol data (or if protocol data was sent that corresponds to zero bytes of application data!). You may get a partial send. Thanks for your reply David - I think you're probably right about my code! ;-) Upon your suggestion I added some more cases to test the return code of ssl_write and found that I am getting a SSL_ERROR_SYSCALL after the first 32 bytes. Here is is the code. As mentioned before, I have the SSL_CTX set with partial writes enabled, the main write loop is as follows (for clarity,I've removed all the tests of ssl_write other than those that get called). --start char error_str[BUFF_SIZE] char out_buf[BUFFSIZE]; int sent_bytes=0; int offset=0; int bytes_to_send = length of data in out_buf fprintf(stderr, - Attempting to write %d bytes\n, bytes_to_send); while(bytes_to_send){ sent_bytes = SSL_write(p_ssl, out_buf+offset, bytes_to_send); switch(SSL_get_error(p_ssl, sent_bytes)) { case SSL_ERROR_NONE: bytes_to_send -= sent_bytes; offset += sent_bytes; fprintf(stderr, - Written %d bytes\n, sent_bytes); break; case SSL_ERROR_SYSCALL: error_str = Err_error_string(Err_get_error()); fprintf(stderr, - SSL_ERROR_SYSCALL: %s\n, error_str); return false; // exit routine default: fprintf(stderr, - SSL_write reports %d\n, sent_bytes); return false; // exit routine } } --end-- When I try and write more than 32k I get the following messages... - Attempting to write 59266 bytes - Written 16384 bytes - Written 16384 bytes - SSL_ERROR_SYSCALL: error::lib(0):func(0):reason(0) I have SSL_load_error_strings() earlier in my code, but don't get any more information than this. I'm still at a loss as to whats happening here, but many thanks for your help in getting this far. Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
Michael wrote: Hi Chris, What type of keystores are you talking about here? (pkcs#12?) It's a PKCS#7 store, I am trying to read the certificate store from a digitally signed ZIP file. I have done it with no probs in VC++ using Microsoft's CryptoAPI, you just read the data into a buffer, which you use to create a CRYPT_DATA_BLOB object that can be passed to the CertOpenStore() function. I cannot see how to do this in openSSL, assuming that it can be done. Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
On Sat, Aug 13, 2005, Chris Morrison wrote: Michael wrote: Hi Chris, What type of keystores are you talking about here? (pkcs#12?) It's a PKCS#7 store, I am trying to read the certificate store from a digitally signed ZIP file. I have done it with no probs in VC++ using Microsoft's CryptoAPI, you just read the data into a buffer, which you use to create a CRYPT_DATA_BLOB object that can be passed to the CertOpenStore() function. I cannot see how to do this in openSSL, assuming that it can be done. Ah now that's a different thing entirely. CryptoAPI for its own reasons decides to allow parsing of certificates only PKCS#7 data using its certficate store functions. OpenSSL instead allows PKCS#7 data to be converted to an internal structure called PKCS7 which contains the details of the parsed data. If the relevant data is in memory d2i_PKCS7() will create the structure. From then on you can follow the code which is called with the print_certs function in apps/pkcs7.c. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie SSL_write question
Call ERR_clear_error() before while loop and call ERR_get_error_line_data in a loop till it returns 0 inside SSL_ERROR_SYSCALL case. This may give you some idea on what went wrong. JB On 8/11/05, Michael [EMAIL PROTECTED] wrote: On 8/11/05, David Schwartz [EMAIL PROTECTED] wrote: snip My code uses blocking sockets, has the SSL_CTX SSL_MODE_ENABLE_PARTIAL_WRITE option set and loops on the ssl_read but the socket is closed after the first 32k is sent. Why, if a message block size is 16k, does the first 32k of a message get written/read, then the socket dropped? snip Give us example code or more detailed information about what you mean by the socket dropped and how you determined that. My bet is simply that there's a bug in your code. With non-blocking sockets, you have to test the return value of SSL_read and properly handle partial or failed sends. You may get a failed send if there was insufficient space to fit a single block of protocol data (or if protocol data was sent that corresponds to zero bytes of application data!). You may get a partial send. Thanks for your reply David - I think you're probably right about my code! ;-) Upon your suggestion I added some more cases to test the return code of ssl_write and found that I am getting a SSL_ERROR_SYSCALL after the first 32 bytes. Here is is the code. As mentioned before, I have the SSL_CTX set with partial writes enabled, the main write loop is as follows (for clarity,I've removed all the tests of ssl_write other than those that get called). --start char error_str[BUFF_SIZE] char out_buf[BUFFSIZE]; int sent_bytes=0; int offset=0; int bytes_to_send = length of data in out_buf fprintf(stderr, - Attempting to write %d bytes\n, bytes_to_send); while(bytes_to_send){ sent_bytes = SSL_write(p_ssl, out_buf+offset, bytes_to_send); switch(SSL_get_error(p_ssl, sent_bytes)) { case SSL_ERROR_NONE: bytes_to_send -= sent_bytes; offset += sent_bytes; fprintf(stderr, - Written %d bytes\n, sent_bytes); break; case SSL_ERROR_SYSCALL: error_str = Err_error_string(Err_get_error()); fprintf(stderr, - SSL_ERROR_SYSCALL: %s\n, error_str); return false; // exit routine default: fprintf(stderr, - SSL_write reports %d\n, sent_bytes); return false; // exit routine } } --end-- When I try and write more than 32k I get the following messages... - Attempting to write 59266 bytes - Written 16384 bytes - Written 16384 bytes - SSL_ERROR_SYSCALL: error::lib(0):func(0):reason(0) I have SSL_load_error_strings() earlier in my code, but don't get any more information than this. I'm still at a loss as to whats happening here, but many thanks for your help in getting this far. Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie SSL_write question
I have a 'problem' that has been reported before, namely that only the first 32k of my messages are being sent/read by my openSSL client/server. The original post is here: http://marc.theaimsgroup.com/?l=openssl-usersm=101180918225646w=2. The solution given was to read the man pages for SSL_read SSL_write, but -- probably because I'm not as experienced as others -- I am still stumped. My code uses blocking sockets, has the SSL_CTX SSL_MODE_ENABLE_PARTIAL_WRITE option set and loops on the ssl_read but the socket is closed after the first 32k is sent. Why, if a message block size is 16k, does the first 32k of a message get written/read, then the socket dropped? I'm hoping someone with some patience can help me here... Thanks in advance, I'm sorry if this is a trivial question for some, but I'm still learning how OpenSSL works... Give us example code or more detailed information about what you mean by the socket dropped and how you determined that. My bet is simply that there's a bug in your code. With non-blocking sockets, you have to test the return value of SSL_read and properly handle partial or failed sends. You may get a failed send if there was insufficient space to fit a single block of protocol data (or if protocol data was sent that corresponds to zero bytes of application data!). You may get a partial send. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie SSL_write question
On 8/11/05, David Schwartz [EMAIL PROTECTED] wrote: snip My code uses blocking sockets, has the SSL_CTX SSL_MODE_ENABLE_PARTIAL_WRITE option set and loops on the ssl_read but the socket is closed after the first 32k is sent. Why, if a message block size is 16k, does the first 32k of a message get written/read, then the socket dropped? snip Give us example code or more detailed information about what you mean by the socket dropped and how you determined that. My bet is simply that there's a bug in your code. With non-blocking sockets, you have to test the return value of SSL_read and properly handle partial or failed sends. You may get a failed send if there was insufficient space to fit a single block of protocol data (or if protocol data was sent that corresponds to zero bytes of application data!). You may get a partial send. Thanks for your reply David - I think you're probably right about my code! ;-) Upon your suggestion I added some more cases to test the return code of ssl_write and found that I am getting a SSL_ERROR_SYSCALL after the first 32 bytes. Here is is the code. As mentioned before, I have the SSL_CTX set with partial writes enabled, the main write loop is as follows (for clarity,I've removed all the tests of ssl_write other than those that get called). --start char error_str[BUFF_SIZE] char out_buf[BUFFSIZE]; int sent_bytes=0; int offset=0; int bytes_to_send = length of data in out_buf fprintf(stderr, - Attempting to write %d bytes\n, bytes_to_send); while(bytes_to_send){ sent_bytes = SSL_write(p_ssl, out_buf+offset, bytes_to_send); switch(SSL_get_error(p_ssl, sent_bytes)) { case SSL_ERROR_NONE: bytes_to_send -= sent_bytes; offset += sent_bytes; fprintf(stderr, - Written %d bytes\n, sent_bytes); break; case SSL_ERROR_SYSCALL: error_str = Err_error_string(Err_get_error()); fprintf(stderr, - SSL_ERROR_SYSCALL: %s\n, error_str); return false; // exit routine default: fprintf(stderr, - SSL_write reports %d\n, sent_bytes); return false; // exit routine } } --end-- When I try and write more than 32k I get the following messages... - Attempting to write 59266 bytes - Written 16384 bytes - Written 16384 bytes - SSL_ERROR_SYSCALL: error::lib(0):func(0):reason(0) I have SSL_load_error_strings() earlier in my code, but don't get any more information than this. I'm still at a loss as to whats happening here, but many thanks for your help in getting this far. Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie SSL_write question
When I try and write more than 32k I get the following messages... - Attempting to write 59266 bytes - Written 16384 bytes - Written 16384 bytes - SSL_ERROR_SYSCALL: error::lib(0):func(0):reason(0) I have SSL_load_error_strings() earlier in my code, but don't get any more information than this. I'm still at a loss as to whats happening here, but many thanks for your help in getting this far. Follow up to see what the error was.(Check 'errno' on UNIX, check WSAGetLastError on Windows.) DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie S/MIME decryption questions
On Mon, Apr 18, 2005, Christian Gütter wrote: Hi, I would like to use OpenSSL 0.97c for Windows to decrypt S/MIME encrypted messages which contain attachments. I am especially interested in decrypting the attachments. 0.9.7c is old, you should use the latest version. 0.9.7g if possible. I had expected that the new file dest.msg would contain the decrypted message. But as you can see in [2], the new file is still encrypted. No it isn't :-) [2] Destination File Content-Type: application/x-pkcs7-mime; name=smime.p7m; smime-type=signed-data Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7m MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggazQ29u [snipped more data] If you look in that header you'll see it is *signed*. That's how S/MIME clients handle signed and encrypted email. If you do: openssl smime -verify -in destination -out message it will attempt to verify the message (which will probably give an error becaue it can't find the signing CA) and write the content out to the file 'message'. The file 'message' should contain the original email with any attachments. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie S/MIME decryption questions
Hi Steve, thanks for your answer. 0.9.7c is old, you should use the latest version. 0.9.7g if possible. Will do that. If you do: openssl smime -verify -in destination -out message it will attempt to verify the message (which will probably give an error becaue it can't find the signing CA) and write the content out to the file 'message'. Unfortunately, this does not work for me. OpenSSL throws the following error: Verification failure 2472:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smi me.c:222:Verify error:self signed certificate in certificate chain The file 'message' should contain the original email with any attachments. The file 'message' is empty then (0 bytes). Do you know what is going on? Thanks, Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie S/MIME decryption questions
On Mon, Apr 18, 2005, Christian Gütter wrote: Hi Steve, thanks for your answer. 0.9.7c is old, you should use the latest version. 0.9.7g if possible. Will do that. If you do: openssl smime -verify -in destination -out message it will attempt to verify the message (which will probably give an error becaue it can't find the signing CA) and write the content out to the file 'message'. Unfortunately, this does not work for me. OpenSSL throws the following error: Verification failure 2472:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smi me.c:222:Verify error:self signed certificate in certificate chain The file 'message' should contain the original email with any attachments. The file 'message' is empty then (0 bytes). Do you know what is going on? Add -noverify to the command line options. That will disable certificate verification: which is the cause of that error message. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie S/MIME decryption questions
Hi Steve, Add -noverify to the command line options. That will disable certificate verification: which is the cause of that error message. This worked. Thank you very much for sharing your insight into the mighty command line options of OpenSSL! Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [newbie] generating a random key?
I'm trying to generate a more or less random key. I was trying to do something similar, but then I found the EVP_SealInit family of functions which generate a random key and init vector for you. Maybe you have different needs, but I thought I would at least make you aware of it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [newbie] generating a random key?
On Apr 10, 2005, at 21:18, Michael D'Errico wrote: I'm trying to generate a more or less random key. I was trying to do something similar, but then I found the EVP_SealInit family of functions which generate a random key and init vector for you. Maybe you have different needs, but I thought I would at least make you aware of it. Thanks. Unfortunately, I don't have access to openssl under the current scenario, so I'm trying to use the few cryptographic functions I have instead :) Cheers -- PA, Onnay Equitursay http://alt.textdrive.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie: how to use openssl library
I know that it will be compiled with nmake, but I need to know whether I can compile it in my VC environment. Anyway it is working now after I included the library in my project settings. Thank you for your help On Apr 4, 2005 12:36 PM, Tan Eng Ten [EMAIL PROTECTED] wrote: why did you have to manually (or separately) compile the /crypto/rsa/rsa_test.c? that should be done when you compile the entire openssl package with nmake; and subsequently nmake test. okay, maybe you decided to try it out on your own VC workspace. have you included libeay32.lib and ssleay32.lib(may not be needed if you do not use SSL/TLS in your codes) in your project settings? Yoana Melissa L. wrote: Hi, I need to use openssl library to do RSA encryption/decryption. I already installed openssl on my computer but when I tried to compile rsa_test.c on \crypto\rsa folder of openssl directory, the compiler give me many 'unresolved external symbol' error message. I already copy the .lib to my compiler directory ( I am using Visual C++ 6.0) and the .dll files to my System directory. Are anything else that I should to before I can use openssl functions? Thank you. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie: how to use openssl library
why did you have to manually (or separately) compile the /crypto/rsa/rsa_test.c? that should be done when you compile the entire openssl package with nmake; and subsequently nmake test. okay, maybe you decided to try it out on your own VC workspace. have you included libeay32.lib and ssleay32.lib(may not be needed if you do not use SSL/TLS in your codes) in your project settings? Yoana Melissa L. wrote: Hi, I need to use openssl library to do RSA encryption/decryption. I already installed openssl on my computer but when I tried to compile rsa_test.c on \crypto\rsa folder of openssl directory, the compiler give me many 'unresolved external symbol' error message. I already copy the .lib to my compiler directory ( I am using Visual C++ 6.0) and the .dll files to my System directory. Are anything else that I should to before I can use openssl functions? Thank you. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question (with answer - long)
On Fri, 2005-04-01 at 07:31 +0530, Denis wrote: Don't you need to allocate some memory to be able to store the RSA key in r_rsa? I assumed that would happen automatically due to the 'pointer-to- pointer' parameter. Best regards, jules BTW: Doing the following solved my problem: RSA *read_pub_key(const char *pubkey_file) { RSA *key = NULL; BIO *bp; ERR_load_crypto_strings(); bp = BIO_new(BIO_s_file()); if (BIO_read_filename(bp, pubkey_file) = 0) { perror(pubkey_file); goto exit;; } key = PEM_read_bio_RSAPublicKey(bp, NULL, NULL, NULL); if (!key) { ERR_print_errors_fp(stderr); goto exit; } exit: BIO_free(bp); return key; } RSA *read_priv_key(const char *privkey_file) { RSA *key = NULL; BIO *bp; SSLeay_add_all_algorithms(); ERR_load_PEM_strings(); bp = BIO_new(BIO_s_file()); if (BIO_read_filename(bp, privkey_file) = 0) { perror(privkey_file); goto exit; } key = PEM_read_bio_RSAPrivateKey(bp, NULL, NULL, NULL); if (!key) { ERR_print_errors_fp(stderr); goto exit; } exit: BIO_free(bp); return key; } void create_rsa_files(const char *pubkey_file, const char *privkey_file) { RSA *rsa; RSA *pub_rsa; RSA *priv_rsa; int len; unsigned char buf[RSA_KEY_LENGTH * 2]; unsigned char *p; HCRYPTPROV cx = NULL; if (!CryptAcquireContextA(cx, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) { DWORD err = GetLastError(); printf(Could not acquire a cryptographic context - %X\n, err); } unsigned char seed[64]; if (!CryptGenRandom(cx, 64, seed)) printf(Could not get random seed\n); RAND_seed(seed, 64); if (!CryptReleaseContext(cx, 0)) { DWORD err = GetLastError(); printf(Could not release the cryptographic context - %X\n, err); } rsa = RSA_generate_key(RSA_KEY_LENGTH, RSA_F4, NULL, (char *)stdout); RSA_blinding_on(rsa, NULL); p = buf; /* Save the public key into buffer, we know it will be big enough * but we should really check how much space we need by calling the * i2d functions with a NULL second parameter */ len = i2d_RSAPublicKey(rsa, p); len += i2d_RSAPrivateKey(rsa, p); printf(The public and private key are now both in a char array\n); printf(and are taking up %d bytes\n, len); printf(%s\n, buf); RSA_free(rsa); p = buf; pub_rsa = d2i_RSAPublicKey(NULL, (const unsigned char**) p, (long)len); len -= (p-buf); priv_rsa = d2i_RSAPrivateKey(NULL, (const unsigned char**)p, (long)len); if ((pub_rsa == NULL) || (priv_rsa == NULL)) ERR_print_errors_fp(stderr); if (!RSA_check_key(priv_rsa)) printf(Private RSA not validated\n); else printf(Private RSA OK\n); // store public key BIO *pub = BIO_new_file(pubkey_file, w); PEM_write_bio_RSAPublicKey(pub, pub_rsa); BIO_free(pub); RSA_free(pub_rsa); // store private key BIO *priv = BIO_new_file(privkey_file, w); PEM_write_bio_RSAPrivateKey(priv, priv_rsa, NULL, NULL, 0, NULL, NULL); BIO_free(priv); RSA_free(priv_rsa); } __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]